The vast majority of merchants are familiar with the Payment Card Industry’s Data Security Standards (PCI DSS), and they even understand why it’s so important to be PCI compliant. But when it comes to actually becoming and maintaining PCI compliance, many merchants find themselves feeling overwhelmed and confused. The path to PCI compliance can be complicated, requiring the merchant to familiarize themselves with the various requirements, and then implementing practical solutions to meet these requirements. To help you get oriented with this process, here’s a quick 5-step guide to PCI compliance:
1. Determine Your Compliance Level
Compliance levels are based on your business’ yearly transaction volume. These levels are determined by the 4 major card issuers (MasterCard, AmEx, Discover, and Visa), who have formulated guidelines. According to Visa, MasterCard, and Discover guidelines, there are 4 levels. They range from Level 4, which applies to businesses that process less than 20,000 e-commerce transactions per year and/or up to 1 million total transactions per year, to Level 1, which applies to businesses that process more than 6 million transactions per year.
Although there are slight differences among the different guidelines, the card issuers work together so that their guidelines all line up.
2. Fill Out a Self-Assessment Questionnaire (SAQ)
The SAQ is a comprehensive checklist that is based on the 12 PCI-DSS requirements for compliance. There are several different variations on the SAQ, so you will need to make sure to choose the version that corresponds with the way you process card payments.
At this point, you will need to actually ensure that you have all the right systems and practices in place to properly meet all security standards, so that you can check everything off.
3. If Required, Use an Authorized Scanning Vendor (ASV)
Certain merchants, such as those who electronically store card data or who process credit cards over an internet connection, will need to provide evidence of a successful vulnerability scan. The vulnerability scan can detect the presence of any weak areas in the merchant’s systems that could be hacked into.
4. Complete an Attestation of Compliance
This final document affirms your compliance with all PCI security standards.
5. Submit all Documents
If you handle PCI compliance from your processor’s portal, then this step is automatically taken care of for you. Otherwise, you will need to send your SAQ, proof of a passing vulnerability scan (if necessary), attestation of compliance, and any other documents required by the card issuer/acquirer to your acquirer.
We hope that this overview has helped you get a better understanding of the PCI compliance process! We encourage you to reach out to Fidelity Payment’s PCI team for further assistance with becoming and staying compliant.