What you must know about
PCI Compliance

It is no secret that identity theft is becoming a growing concern among businesses and consumers alike. Every day it seems, there are new reports of the devastating effects a breach of personal information can have on its victims. Recognizing this burgeoning threat, the United States government passed federal laws called the Fair and Accurate Credit Transactions Act of 2003 (FACTA). This detailed act tackles many issues that revolve around identity theft from prevention and credit history restoration to credit report access.

Since that time, identity theft has continued to pose a major threat to consumers. In response to this growing problem, the major credit card brands, Visa®, MasterCard®. American Express® and Discover® came together to put into place a set of standards that all businesses are required to follow in order to maintain a secure environment for their customers' credit card information. These standards, now known as PCI Compliance (Payment Card Industry Compliance), require all businesses to be in compliance.

If you're a business that takes credit cards, this may leave you with the obvious question, "How do I know if I am PCI Compliant?"

Though PCI Compliance may seem complicated, there are five basic steps your business should follow in order to ensure compliance.

Step 1: Determine Your Merchant Level

First, you must know your merchant level. The merchant level is determined by the number of credit card transactions the business processes per year. (Note: This is the number of transactions, not the dollars of sales revenue.) Based on this number, there are four levels:

Level 1 - Businesses that have 6 million or more in Visa® and MasterCard® transactions per year.
Level 2 - Businesses that have between 1-6 million transactions per year.
Level 3 - Business that have 20,000 to 1 million Visa® and MasterCard® e-commerce, or Web transactions per year.
Level 4 - Businesses with Web transactions that total up to 20,000 per year, and all other businesses regardless of how they accept cards, processing up to 1 million transactions per year.

The large majority of business owners will fall under level 4, which is the level being addressed in this article.

Step 2: Identify your Validation Type and which Self-Assessment Questionnaire your business needs to complete.

Your validation type is determined by the method you use to accept credit card payments. To find your validation type and get a copy of the corresponding questionnaire for your business, visit www.pcisecuritystandards.org.

Step 3: Complete the Self-Assessment Questionnaire.

Now that you know your validation type and have the correct questionnaire, step three is simply to follow the instructions provided on the questionnaire and complete it. Many processors may have an online tool to help you complete the process, so it may be to your advantage to check with your processor before completing this step.

Step 4: Determine if your business is required to pass a vulnerability scan.

This step is required for businesses that electronically store cardholder information or have processing systems that have Internet connectivity. Generally speaking, this would refer to businesses that have a website capable of accepting credit cards through a payment gateway.

If you do, you need to have a quarterly security scan performed by a PCI SSC Approved Scanning Vendor, or ASV. Your processor most likely has made arrangements with an ASV so you don't have to search one out yourself.

Step 5: Complete an Attestation of Compliance

Once you've completed the appropriate questionnaire, if your processor requires it, you may need to complete and submit an Attestation of Compliance, which is located within the questionnaire. (Found at www.pcisecuritystandards.org)

In review, your business will need to submit the SAQ questionnaire, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation to your acquirer or processor. This is something you may have to do every year, but your processor might have put into place some tools to help you complete the documentation more easily.

Still have questions? We understand. We recommend you call your processor or Solveras Payment Solutions at 800-613-0148.

Sign up for our next PCI Compliance Webinar.

Author: Brian Bickel
Vice President of Sales
Solveras Payment Solutions