PCI compliance is required for any business that stores, processes, or transmits cardholder data. This is true whether the business is considered a merchant or a service provider.
- Merchants are businesses that accept payment cards from American Express, Discover, JCB, MasterCard, or Visa as payment for their goods or services.
- Service providers are businesses that are not merchants or payment brands, but that are directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. (PayPal, for example, is considered a service provider.)
Who is Considered a Merchant?
In some cases, the term “merchant” can be confusing, in that it brings to mind the concept of a traditional retail store. However, there are many different types of businesses that are categorized this way for the purposes of PCI compliance. This includes:
- Manufacturers
- Distributors
- Colleges and universities
- Government agencies
- Utilities providers
- Telecommunications vendors
- Professional services companies
- Charities and non-profits
These businesses – along with brick-and-mortar, e-commerce, and mail order/phone order retailers – are all required to be PCI compliant if they process, store, or transmit any kind of cardholder payment data on their systems.
PCI Compliance Requirements by Merchant Level
As a merchant, your PCI compliance requirements will depend on the number of payments you process each year, as well as the way(s) in which you handle credit and debit card data.
Merchant Compliance Levels
All merchants will fall into one of four merchant levels based on 12-month transaction volume.
- Level 1: Merchants that process over 6 million transactions annually
- Level 2: Merchants that process between 1 million and 6 million transactions annually
- Level 3: Merchants that process between 20,000 and 1 million transactions annually
- Level 4: Merchants the process fewer than 20,000 transactions annually
These volume tiers are based on a company’s total credit card transactions across all of their channels. For instance, a business that processes credit card payments for 15,000 mail orders, 15,000 e-commerce transactions, and 15,000 face-to-face transactions in one year would be considered a Level 3 merchant, having processed 45,000 total transactions.
Merchants at all levels are required to comply with the PCI Data Security Standard (PCI DSS). However, the validation requirements, or the amount of proof you need to have to show that you are PCI compliant, varies by level.
- Level 1:
- An annual Report on Compliance (ROC), completed by a Qualified Security Assessor (QSA) or Internal Auditor if signed by an officer of the company
- An Attestation of Compliance (AOC) form
- A quarterly network scan by an Approved Scan Vendor (ASV)
- Level 2 and 3:
- An annual Self-Assessment Questionnaire (SAQ)
- An Attestation of Compliance (AOC) form
- A quarterly network scan by an Approved Scan Vendor (ASV)
- Level 4: These may vary based on the merchant’s acquiring bank, but – as with levels 2 and 3 – the validation requirements typically include an annual Self-Assessment Questionnaire (SAQ) and a quarterly network scan by an Approved Scan Vendor (ASV).
If you have questions about what level you are considered or what documentation you need to provide to validate your compliance, it’s best to consult with a PCI-Qualified Security Assessor (QSA). A QSA can help you interpret the complex requirements of the PCI DSS and make sure you are meeting your security obligations.
Using Self-Assessment Questionnaires to Demonstrate PCI Compliance
Level 1 merchants must work with a QSA to complete a third-party Report on Compliance. However, those who fall under levels 2, 3, and 4 can complete their own Self-Assessment Questionnaire and Attestation of Compliance to satisfy their security requirements.
The type of SAQ you will need to complete will vary based on your payment processing activities. Merchants that have fully outsourced their cardholder data functions can qualify for the shortest SAQ (the SAQ-A), while those that handle more complex data processing functions will need to complete a more in-depth questionnaire. If your business is required to complete the longest version, the SAQ-D, you’re looking at 76 pages of technical security questions.
Submitting PCI Compliance Documentation
Once you have completed all the sections of your required SAQ, you can submit the SAQ and the Attestation of Compliance to your acquirer or payment brand. (As part of this process, you may also need to submit supporting security documentation, such as a copy of your most recent ASV scan.) You do not need to submit this information directly to the PCI Council for your business to be compliant.
Reducing your PCI Compliance Requirements
Meeting PCI compliance requirements can be time-consuming, especially if you don’t have an in-house security department. The information-gathering process can take months. This is something we at Curbstone understand extremely well, considering that we complete the Level 1 Service Provider audit every year. However, you can take steps to qualify for one of the shorter, easier Self-Assessment Questionnaires. This is called reducing your PCI scope.
Here’s an example:
If you process payments in an order entry application that transmits a customer’s credit card data to your authorization network, that application, along with the device running it and the network it is on, would be “in scope” for your PCI Self-Assessment Questionnaire. You would have to answer the relevant questions about the data security controls for this application and the environment it resides within.
However, if you start processing those credit card transactions in a business application that does not touch the cardholder data, that part of your network is no longer “in scope” for your PCI SAQ. You get to avoid the documentation and reporting for that part of your system.
An important note: when you choose a payment processing solution with the goal of reducing your own compliance requirements, be sure you’re choosing a PCI-Validated Level 1 Service Provider. This is the highest level for a service provider and comes with the strictest security requirements. This ensures that you can rely on their security controls to help protect your customers’ payment data.
What Happens if Your Business isn’t PCI Compliant?
As complicated as the process can be, it may be tempting to look for ways to avoid the burden. However, PCI compliance is enforced by acquirers – the entities that maintain your signed merchant agreement.
If you do not maintain compliance and submit the corresponding documentation within the required timeline, your acquirer may choose to terminate the relationship. They may also issue non-compliance fines and/or increase your transaction fees.
There’s also the risk of a potential data breach. If you aren’t maintaining appropriate data security standards, your customers’ payment data may be vulnerable to unauthorized use. To avoid these complications, it’s crucial to meet the standards of the PCI DSS and validate your efforts accordingly.
Learn More About Simplifying PCI Compliance
At Curbstone, we’ve worked with merchants at all levels – from local businesses to large national corporations. Our software has helped these merchants take their infrastructure out of scope for PCI reporting and audits, making it much easier to process credit and debit card payments without extensive reporting efforts.
“The first time we looked at that long questionnaire, we knew we wanted to avoid it. Curbstone has made it very easy to get on the path to PCI compliance, even with our small IT team.” – Bartlett Bearing Company
To learn more about doing the same for your business, contact us today.
This article is provided for general informational purposes only and does not constitute legal advice. If you have questions about your specific compliance requirements, please consult with your PCI-certified Qualified Security Assessor (QSA).