The PCI Basics/Quick Guide – What Do Small Merchants Need to Do to Achieve PCI Compliance?
The day has come. You have received notification from your acquirer that your organization is required to submit Payment Card Industry (PCI) compliance validation. You’ve also just been informed that there are penalties – most likely fees, but also possible termination of your card acceptance agreement, or other forms of repercussions associated with not providing this validation by a certain date to your acquirer.
A quick search of the Web only comes up with confusing jargon, seemingly conflicting information and unclear guidance. What on earth do you do now? In this article, we will focus on the initial steps to take once you receive that notification in order to help simplify the process for you.
The first step is to determine your level as defined by credit card brand
Why is it important to understand which level you fall under by credit card brand? Each credit card brand has their own umbrella compliance program which focuses on the number of transactions for their credit card alone. To make matters more confusing, credit card companies differ in their level definitions and compliance validation submission requirements. For example, Level 4 merchants, according to Visa’s criteria, are those organizations which have up to 1 million Visa transactions annually. MasterCard categorizes organizations which have up to 1 million MasterCard transactions annually as Level 3 merchants, and American Express doesn’t even have a Level 4 category.
Each level brings its specific compliance validation requirements. While you may be a Level 4 merchant according to Visa’s classifications, you may be a Level 2 merchant according to American Express. The compliance validation requirement for a Level 3 American Express merchant is to provide quarterly scans. A Level 4 Visa merchant is only required to do so upon the discretion of their acquiring bank.
Visit the following pages to determine which level you are by credit card brand:
If in doubt, assemble the number of transactions separated by credit card brand, contact your acquirer bank and ask. Acquirer banks have the ultimate decision authority over their merchants’ levels, so you should verify your assumptions with your bank. Keep in mind that should your organization suffer a breach at any time, your level may also be elevated, so check with your acquirer bank in this situation, too.
The next step is to determine what you ultimately need to submit for compliance validation
Once you know what level you are, you can now determine what you are responsible for providing to the acquirer bank in order to show compliance validation.
Return to the links above and write down what is required for your level for each credit card brand. You will be looking on each page to determine if you must submit the following:
1) Self-Assessment Questionnaire (SAQ), and/or
2) Quarterly Network Scan
Some of the card brands may make either or both of the above mandatory and some may not.
For example, let’s say you are a small grocery store (without a Web presence) and you process approximately 250,000 credit card transactions annually.
100,000 of those are Visa.
75,000 of those are MasterCard.
45,000 of those are American Express, and
30,000 remaining are Discover.
This would mean that you are the following levels (by card brand):
Visa: Level 4
MasterCard: Level 4
American Express: Level 3, and
Discover: Level 4
According to the card brands, your compliance validation requirements would then be:
Quarterly Network Scan
|Visa||Recommended only||If applicable (if you have externally-facing IPs)|
|American Express||Recommended only||Recommended only|
|Discover||Recommended only||Recommended only|
This table reflects what your acquirer bank would be expecting you to submit in order to validate compliance; however keep in mind that the acquirer may change their requirements at any time, so it is worth it to verify expectations prior to beginning work.
The remaining steps to perform prior to beginning your compliance validation are to determine which SAQ is the appropriate one to submit for your organization, and – if you are required to submit quarterly external scans – to select an Authorized Scanning Vendor (ASV).
There are five types of SAQs: A through D. Factors which affect which version you need to complete depend on whether you use your own systems to process payments, store cardholder data and accept credit cards in-person and/or electronically, amongst other things.
|SAQ Validation Type||Description||# of Questions (v2.0)|
|A||Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced to a PCI-Compliant Service Provider||13|
|B||Imprint-only merchants with no electronic cardholder data storage; Standalone dial-up terminal merchants, no electronic cardholder data||29|
|C-VT||Merchants using only web-based virtual terminals, no electronic cardholder data storage||51|
|C||Merchants with payment application systems connected to the Internet, no electronic cardholder data storage||80|
|D||All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ||288|
ASVs are organizations which perform the quarterly external scans for merchants and have been qualified and pre-approved by the PCI Council. It is required that all companies submitting quarterly network scans use a company who has achieved ASV status. Note that your organization will be required to submit “clean” scans, meaning there are no failing vulnerabilities found and the scans have been attested-to by both you and your ASV. Oftentimes, organizations choose to perform their first few scans a little earlier than when the quarter ends so that any failing vulnerabilities or issues found can be remediated and a rescan performed in time.
We will be providing more details on these two areas in upcoming articles. If you need expert guidance before then, we stand ready to help. Please contact us at 1-800-825-3301 x 2.