Every business that stores any information from processing credit cards, debit cards and other payment cards is required to comply with PCI (Payment Card Industry) standards. All companies performing payment processing must meet the security compliance standards. Failure to comply can result in restrictions, heavy fines, or permanent expulsion from accepting cards and processing payments.
Becoming PCI Compliant
The entire process of becoming PCI compliant usually takes between one day and two weeks. The actual time for compliance will be dependent on how long the self-assessment questionnaire takes to complete. In addition, the business will need to pass a PCI scan. Once the questionnaire and scan have been passed, the results are turned in to the company’s merchant bank. That information is then passed on to the Payment Card Industry stating that the company has met the requirements of PCI compliance.
PCI compliance requirements are based on different merchant accounts, and the amount of transactions the business processes every year. In detail, these include:
Level 1 Requirements – Merchant accounts with transactions of 6 million or more a year, or companies with compromised data must perform a quarterly network security scan and an on-site annual security audit.
Level 2 Requirements – Merchant accounts that process transactions ranging from 150,000 to 6 million every year must complete the self-assessment questionnaire annually.
Level 3 Requirements – Merchants with payment processing numbers between 20,000 and 150,000 transactions are required to perform a self-assessment questionnaire every year, along with a quarterly scan performed by an ASV (Approved Scanning Vendor).
Level 4 Requirements – Any merchant processing no more than 20,000 transactions annually must maintain compliance at all times. However, they are not required to report compliance.
Every business that processes credit/debit cards and stores the information must determine their merchant level as assigned by the payment card industry. In addition, they need to determine their validation type and report their compliance through a self-assessment questionnaire.
A detailed report should include any vulnerability assessment scans, performed by an ASV. The report should detail the scan on any public-facing IP address used for processing, viewing, and handling credit and debit card data.
Becoming compliant and maintaining the status might appear overwhelming. However, businesses that break the process down into smaller sections can easily maintain their status. The working components will include the merchant, the hosting provider, the shopping cart (e-commerce application), the authorized payment gateway, ASV, and the merchant’s bank.