PCI DSS (Payment Card Industry Data Security Standard) compliance is a set of rules for businesses who accept card payments online must adhere to. The standard is governed by the Payment Card Industry Security Standards Council (PCI SSC) and it was established by the credit card providers (AMEX, Diners Club, JBL, Mastercard, Visa) in response to the increasing fraud risk for online transactions. It ensures that the card providers agree on what businesses need to do to protect every party involved from consumer data to financial loss for card companies.
Providers & Merchants
The standard is broken into two groups of adherence, one is for service providers and the other is for merchants (those businesses accepting the card payments). A Provider is a company that isn’t a bank or card issuer, but rather is directly involved in the processing, storage or transmission of cardholder data on behalf of another business; including companies that provide services that control or impact the security of cardholder data. For Providers, there are two levels that they can belong to, level 1 being the highest. Merchant’s, in this case, are businesses selling online. Merchants have four levels to understand and they need to decide which level they belong to and therefore behave accordingly. As a merchant, it’s important to only work with providers that offer compliant solutions, you can check a provider’s compliance validity and level on the Visa website . The danger of not being compliant and not declaring your level of compliance is that your company will be held responsible for the damages and the costs. In terms of the compliance process, although it sounds scary and time-consuming for most small businesses it is relatively painless and a cost well worth bearing. For larger businesses, this is where things get complicated and costly, purely because of the complexity of system scope, staff numbers and processes required to continually adhere to higher levels of compliance.
Provider level definitions and requirements
Level 1 Service Provider
Store, process, or transmit more than 300,000 credit card transactions annually from any or all card issuers.
Level 1 Requirements
– Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
– Quarterly network scan by Approved Scanning Vendor (ASV)
– Penetration Test
– Internal Scan
– Attestation of Compliance (AOC) Form
Level 2 Service Provider
Store, process, or transmit less than 300,000 credit card transactions annually.
Level 2 Requirements
– Annual Self-Assessment Questionnaire (SAQ) D
– Quarterly network scan by ASV
– Penetration Test
– Internal Scan
– AOC Form
A Level 2 Provider can choose to become level 1 compliant if they necessary.
Merchant levels
Level 1 Merchant
– Greater than 6M Mastercard or Visa transactions annually
– A merchant that has experienced an attack resulting in compromised card data
-A merchant deemed to be level 1 by a card provider.
Level 2 Merchant
– Between 1m and 6m Mastercard or Visa transactions annually.
Level 3 Merchant
– Between 20,000 and 1m e-commerce Mastercard or Visa transactions annually.
Level 4 Merchant
– Less than 20,000 card Mastercard or Visa e-commerce transactions annually
– Up to 1M Mastercard or Visa transactions annually.
How to become compliant
For both Providers and Merchants who need to be level 1 compliant they will need to have yearly assessments of compliance by a Qualified Security Assessor (QSA), in addition to the requirements for levels 2, 3, and 4. The yearly compliance assessment will consist of a number of steps by the QSA, for Merchants, this includes an examination of your point of sale (POS) system, a detailed review of areas of vulnerability and a prioritized list of improvements to make to prevent attacks. Providers will need to declare the system that’s in scope for the examination and in turn, the QSA will assess this system and provide, gap analyses and recommendations to achieve compliance. It’s then the ongoing responsibility of both Merchants and Providers to ensure that the minimum processes and documentation are created and followed to remain compliant and be ready for future assessments.
Other levels of compliance start with a self-assessment (SAQ) form that’s available form the SSC website. Overall there are 12 requirements that fall under 6 groups that need to be addressed.
Finally, you’ll need to submit the questionnaire and accompanying forms, evidence of passing test plus any extra documentation that your bank, card issuer or payments provider has asked for, even if they haven’t asked for it you are supposed to inform them of your compliance level.
What does compliance cost?
This varies wildly depending on whether you’re a Provider or Merchant, your complexity and size and is both internal and external if you need a QSA and external tests performed. The cost is also ongoing if you factor in the processes and staff time that is required. For micro merchants the cost and processes is minimal and you should just get compliant immediately.
Studies by Gartner and Ponemon have found that year on year the costs are increasing for businesses wanting to be compliant and are on average $500k for larger Merchants, many of whom will find the cost much higher especially due to scope changes year on year at their end. At least a fifth of the cost is spent on understanding the scope and the rest is spent on meeting the standards.
Shuttle is a Level 1 compliant Service Provider and one of the reasons our SaaS customers use us is so that the scope of the PCI audit is contained within Shuttle systems and it is our job to maintain compliance for that scope. Therefore, those customers don’t have to have the deep in-house knowledge and dedicate the time to the processes in the same way that we do. Merchant businesses can also trust us to provide payment services and connections to their payment gateways.
| Type of SAQ | Type of merchant | Account data scope | Electronic account data storage allowed |
|---|---|---|---|
| SAQ A | E-commerce and mail order/telephone order (card not present) | Outsource all payment processing to PCI DSS validated and compliant third parties | No |
| SAQ A-EP | E-commerce | Outsource all payment processing to PCI DSS validated and compliant third parties, with the exception of the page that accepts account data | No |
| SAQ B | Brick-and-mortar (card present) and mail order/telephone order (card not present) | Via imprint machines and/or standalone, dial-out terminals (connected via a phone line to the merchant processor) | No |
| SAQ B-IP | Brick-and-mortar and mail order/telephone order | Via PTS POI devices with an IP connection to the payment processor | No |
| SAQ C | Brick-and-mortar and mail order/telephone order | Via payment application systems (ex. Point of sale systems) connected to the Internet | No |
| SAQ C-VT | Brick-and-mortar and mail order/telephone order | Via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet | No |
| SAQ P2PE | Brick-and-mortar and mail order/telephone order | Via a validated PCI-listed P2PE solution | No |
| SAQ D | All merchants who are eligible to complete an SAQ but do not meet the criteria for any other SAQ type Note: This is the only type of SAQ that applies to service providers who are eligible to complete an SAQ. | May process account data on their website | May have electronic account data storage |
