If you’re a new business owner and have just begun accepting credit cards for payments, you don’t want to be caught unaware of the regulations involved in handling sensitive personal data. The consequences of improper procedures could be penalties, fees and even termination of your card processing account. Read on to learn about PCI regulations and what you need to do to remain compliant.
What Is PCI?
PCI stands for Payment Card Industry. When referring to the subject of PCI compliance, you are actually talking about a set of industry standards known as PCI DSS, where the “DSS” stands for Data Security Standards. These standards were designed to ensure that businesses handle credit card information in a secure manner.
The Payment Card Industry Security Standards Council (PCI SSC) was established in 2006 by the major credit card brands, including MasterCard, Visa, American Express and Discover. Due to the importance of being PCI compliant, the council focuses on improving the security of credit card transactions as technology and market trends change the security concerns in the industry.
According to Visa Chief Enterprise Risk Officer, Ellen Richey, “…no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”– Wikipedia
Who Needs To Comply With PCI Security Standards?
In short, any organization or business that handles credit card information or transactions is responsible for following PCI security standards. This includes businesses of all sizes that accept, transmit or store credit card or cardholder data, including companies who outsource their credit card processing to a third party.
PCI Compliance Levels
In order to understand your compliance requirements, you need to know what your compliance level is for each brand of credit card you accept for purchases. Each credit card brand has their own compliance program that defines various levels of business activity using only their brand.
For example, to be categorized as a level 4 merchant, Visa would define this as an organization that completes up to 1 million transactions in 12 months, while MasterCard would define this transaction volume as level 3. American Express, on the other hand, does not even have a level 4 category.
Once you know your compliance level for each brand of credit card you accept, you can take the appropriate action to satisfy your PCI requirements. The specifications for Visa’s four compliance levels are as follows:
- Level 1: Applies to businesses that process over 6 million Visa transactions annually. These businesses must file a report on compliance (ROC) and an Attestation of Compliance (AOC) form every year. They must also conduct a network scan every quarter.
- Level 2: Applies to businesses that process between 1 and 6 million Visa transactions annually. These businesses must complete a self-assessment questionnaire and submit an Attestation of Compliance form every year. They must also submit a quarterly network scan.
- Level 3: Applies to businesses that process between 20,000 and 1 million Visa transactions annually. The PCI requirements at this level are the same as for level 2.
- Level 4: Applies to businesses that process less than 20,000 Visa transactions and up to 1 million transactions annually for all brands combined. The requirements at this level are a self-assessment questionnaire and Attestation of Compliance form each year and a quarterly approved vendor scan if applicable.
What This Means For Businesses (SMBs)
Since 2005, more than 80% of card data breaches have involved small businesses. In such cases, if a business is found to be non-compliant, major brands such as Visa are likely to suspend their accounts.
Smaller business owners may not know that the Best Practice 6.6 security standard went into effect on June 2008, which requires merchants to tighten security. All eCommerce websites are required to conduct application code reviews and install website firewalls.
Be aware of the requirements for small to medium-sized businesses. For Visa compliance, level 2 and 3 Merchants must complete annual Self Assessments and quarterly network security scans. Level 4 merchants must also complete an annual PCI Self-Assessment, but in some cases, they are not required to complete the quarterly network scan.
It’s worthwhile for all business owners to take the time to understand their compliance requirements for each of the credit card brands they use. This is especially true of smaller merchants that are more often attacked by cybercriminals and identity thieves.