On September 7, 2006 the major card brands such as Visa MasterCard and American Express collaborated to protect the consumer and merchant from the breaches that have taken place. The result was the formation of the Payment Card Industry Security Standards Council (PCI SSC) pcisecuritystandards.org . This council put forth in place the PCI DSS which is the proprietary information security standard for all organizations that store, process or transmit all major credit cards. It contains a set of security requirements that include everything from how your POS should be set up under your wireless WAN to eCommerce and more. To become compliant, a merchant would need to complete an annual self assessment questionnaire and a quarterly network scan.
1) Understand Your Merchant Level.
(Not to worry, as your provider, we will determine this.)
Each card brand has it's own merchant level. To give you an example here is Visa's (the most widely used card). Visa is divided into 4 categories based on Visa card transactions over 12 months. Your level will determine how stringent your PCI Compliance program must be.
(Note; these are transactions not dollar amount.)
Links to the card brands levels are listed here:
This is a set of documents that contain a set of questions based on the requirements of the PCI DSS. There are 12 requirements for compliance that are organized into 6 groups. Each requirement has sub-groups and there are 9 variations of the SAQ. You will only have to complete one. The one that will be presented to you correlates to how your business handles credit cards.
After the SAQ you will need to complete the AOC, which is attached to your SAQ. This validates that you complied with all the applicable steps.
The AOC also has 9 variations. Like the SAQ, you will only complete one.
Final step is to submit your filled SAQ and AOC along with any other documents such as an ASV scan reports.
Validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
By federal law, PCI Compliance is not required. However, some states like Nevada has put PCI Compliance into their state law.
Aside from that, businesses that are not PCI Compliant may be subject to fines, sanctions and loss of privileges from the clearinghouse that processes credit card payments. If the PCI failure results in the loss of data, the business could face fines, higher fees, and other sanctions from banks and other credit card processors. Businesses can also be subject to lawsuits and government prosecution for failing to protect customer data. If a data breach occurs, your business will be liable for all damages if not PCI Compliant.
Becoming PCI Compliance is necessary for anyone accepting credit cards. You will be reminded as your compliance due date is approaching, either by email or on your statement. Not to worry, our PCI Compliance partners are available to assist you with completing this task.
Copyright © 2018 Epic Merchant Services All Rights Reserved.
Epic Merchant Services is a registered ISC of TSYS Business Solutions LLC, 12202 Airport Way, Suite 100, Broomfield, Co. 80021 / One Tsys Way, Columbus, GA 31901 TSYS Business Solutions, LLC. is a registered ISO of Wells Fargo Bank, N.A., Concord, CA; Synovus Bank, Columbus, GA; and Deutsche Bank, New York, NY for Visa and Mastercard transactions only.