Skip to main content
ArticlesPCI Compliance

Who Needs to be PCI Compliant?

By February 22, 2022September 1st, 2022No Comments

PCI compliance is required for any business that stores, processes, or transmits cardholder data, whether as a merchant or a service provider.

  • Merchants are businesses that accept payment cards from American Express, Discover, JCB, MasterCard, or Visa as payment for their goods or services.
  • Service providers are businesses that are not payment brands, but that are directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.

Who is Considered a Merchant?

In some cases, the term “merchant” can be confusing, in that it brings to mind the concept of a traditional retail store. However, there are many different types of businesses that are considered to be merchants. This includes:

  • Manufacturers
  • Distributors
  • Colleges and universities
  • Utilities providers
  • Telecommunications vendors
  • Professional services companies
  • Charities and non-profits

These businesses – along with brick-and-mortar, e-commerce, and mail order/phone order retailers – are all required to be PCI compliant if they process, store, or transmit any kind of payment data on their systems.

PCI Compliance Requirements by Merchant Level

As a merchant, your compliance requirements will depend on the number of transactions you process each year, as well as the way(s) in which you handle card data.

Merchant Compliance Levels

All merchants will fall into one of four merchant levels based on 12-month transaction volume.

  • Level 1: Merchants that process over 6 million transactions annually
  • Level 2: Merchants that process between 1 million and 6 million transactions annually
  • Level 3: Merchants that process between 20,000 and 1 million transactions annually
  • Level 4: Merchants the process fewer than 20,000 transactions annually

These volume tiers are based on a company’s total credit card transactions across all of their channels. For instance, a business that processes credit card payments for 15,000 mail orders, 15,000 e-commerce transactions, and 15,000 face-to-face transactions in one year would be considered a Level 3 merchant, having processed 45,000 total transactions.

Merchants at all levels are required to comply with the PCI Data Security Standard (PCI DSS), but the validation requirements, or the amount of proof that the merchant is compliant, varies by level.

  • Level 1:
  • Level 2 and 3:
    • An annual Self-Assessment Questionnaire (SAQ)
    • An Attestation of Compliance (AOC) form
    • A quarterly network scan by an Approved Scan Vendor (ASV)
  • Level 4: These may vary based on the merchant’s acquiring bank, but – as with levels 2 and 3 – the validation requirements typically include an annual Self-Assessment Questionnaire (SAQ) and a quarterly network scan by an Approved Scan Vendor (ASV).

If you have questions about what level you are considered, or what documentation you need to provide to validate your compliance, it’s best to consult with a PCI-Qualified Security Assessor (QSA).

Using Self-Assessment Questionnaires to Demonstrate PCI Compliance

While Level 1 merchants must work with a QSA to complete a third-party Report on Compliance, merchants who fall under levels 2, 3, and 4 can complete their own Self-Assessment Questionnaire and Attestation of Compliance.

Furthermore, SAQ requirements vary based on the merchant’s processing activities. Merchants that have fully outsourced their cardholder data functions can qualify for the shortest SAQ (the SAQ-A), while merchants that handle more complex data processing functions will need to complete a more in-depth questionnaire. If you’re required to complete the longest version, the SAQ-D, you’re looking at 76 pages of technical security questions.

Submitting PCI Compliance Documentation

Once you have completed all the sections of your required SAQ, you can submit the SAQ and the Attestation of Compliance – along with any other requested documentation, such as a copy of your most recent ASV scan – to your acquirer or payment brand. You do not need to submit the information directly to the PCI Council.

Reducing your PCI Compliance Requirements

Meeting PCI compliance requirements can be time-consuming, especially if you don’t have an in-house security department. The information gathering process can take months. This is something we at Curbstone understand extremely well, considering that we complete the Level 1 Service Provider audit every year. However, merchants can take steps to qualify for one of the shorter, easier Self-Assessment Questionnaires. This is called reducing your PCI scope.

Here’s an example:

If you process orders in an order entry application that transmits a customer’s card data, that application, along with the device running it and the network it is on, would be “in scope” for your PCI Self-Assessment Questionnaire. You would have to answer the relevant questions about the data security controls of the application and the environment it resides within.

However, if you start processing those orders in an application that does not touch the customer’s data, that part of your network is no longer “in scope” for your PCI SAQ.  You get to avoid the documentation and reporting for that part of your system.

An important note: when you choose a payment processing solution with the goal of reducing your own compliance requirements, be sure you’re choosing a PCI-Validated Level 1 Service Provider. This is the highest level for a service provider and comes with the strictest requirements. This ensures that you can rely on their security efforts to protect your customers’ payment data.

What Happens if Your Business isn’t PCI Compliant?

As complicated as the process can be, it may be tempting to look for ways to avoid the burden.  However, compliance is enforced by acquirers – the entities that maintain your signed merchant agreement.

If you do not maintain compliance and submit the corresponding documentation within the required timeline, your acquirer may choose to terminate the relationship. They may also issue non-compliance fines and/or increase your transaction fees.

There’s also the risk of a potential data breach. If you aren’t maintaining appropriate data security standards, your customers’ payment data may be vulnerable to unauthorized use. To avoid these complications, it’s crucial to meet the relevant standards and validate your efforts accordingly.

Learn More About Simplifying PCI Compliance

At Curbstone, we’ve worked with merchants at all levels – from local businesses to large national corporations. Our software has helped these merchants take their infrastructure out of scope for PCI reporting and audits, making it much easier to process credit and debit card payments without the extensive reporting efforts.

“The first time we looked at that long questionnaire, we knew we wanted to avoid it. Curbstone has made it very easy to get on the path to PCI compliance, even with our small IT team.” – Bartlett Bearing Company

See How Bartlett Simplified PCI Compliance

To learn more about doing the same for your business, contact us today.

This article is provided for general informational purposes only and does not constitute legal advice. If you have questions about your specific compliance requirements, please consult with your PCI-certified Qualified Security Assessor (QSA).