The day has come. You have received notification from your acquirer that your organization is required to submit Payment Card Industry (PCI) compliance validation. You’ve also just been informed that there are penalties – most likely fees, but also possible termination of your card acceptance agreement, or other forms of repercussions associated with not providing this validation by a certain date to your acquirer.
A quick search of the Web only comes up with confusing jargon, seemingly conflicting information and unclear guidance. What on earth do you do now? In this article, we will focus on the initial steps to take once you receive that notification in order to help simplify the process for you.
The first step is to determine your level as defined by credit card brand
Why is it important to understand which level you fall under by credit card brand? Each credit card brand has their own umbrella compliance program which focuses on the number of transactions for their credit card alone. To make matters more confusing, credit card companies differ in their level definitions and compliance validation submission requirements. For example, Level 4 merchants, according to Visa’s criteria, are those organizations which have up to 1 million Visa transactions annually. MasterCard categorizes organizations which have up to 1 million MasterCard transactions annually as Level 3 merchants, and American Express doesn’t even have a Level 4 category.
Each level brings its specific compliance validation requirements. While you may be a Level 4 merchant according to Visa’s classifications, you may be a Level 2 merchant according to American Express. The compliance validation requirement for a Level 3 American Express merchant is to provide quarterly scans. A Level 4 Visa merchant is only required to do so upon the discretion of their acquiring bank.
Visit the following pages to determine which level you are by credit card brand:
If in doubt, assemble the number of transactions separated by credit card brand, contact your acquirer bank and ask. Acquirer banks have the ultimate decision authority over their merchants’ levels, so you should verify your assumptions with your bank. Keep in mind that should your organization suffer a breach at any time, your level may also be elevated, so check with your acquirer bank in this situation, too.
The next step is to determine what you ultimately need to submit for compliance validation
Once you know what level you are, you can now determine what you are responsible for providing to the acquirer bank in order to show compliance validation. If you meet the requirements of the card brands for Level 4, then the remaining steps to perform prior to beginning your compliance validation are to determine which SAQ is the appropriate one to submit for your organization, and – if you are required to submit quarterly external scans – to select an Authorized Scanning Vendor (ASV).
This table reflects what your acquirer bank would be expecting you to submit in order to validate compliance; however keep in mind that the acquirer may change their requirements at any time, so it is worth it to verify expectations prior to beginning work.
There are five types of SAQs: A through D. Factors which affect which version you need to complete depend on whether you use your own systems to process payments, store cardholder data and accept credit cards in-person and/or electronically, among other things.
|SAQ Validation Type||Description||# of Questions (v3.0)||ASV Scan Required|
|A||Card-not-present merchants: all payment processing functions fully outsourced, no electronic cardholder data storage||14||No|
|A-EP||E-commerce merchants re-directing to a third-party, PCI compliant service provider for payment processing, no electronic cardholder data storage||139||Yes|
|B||Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage||41||No|
|B-IP||Merchants with standalone IP (Internet) connected payment terminals: No e-commerce or electronic cardholder data storage||83||Yes|
|C||Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage||139||Yes|
|C-VT||Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage||73||No|
|D-Merchant||All other SAQ eligible Merchants, or those that electronically store cardholder data||326||Yes|
|D-Service Provider||SAQ eligible service providers||347||Yes|
|P2PE||Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage||35||No|
ASVs are organizations which perform the quarterly external scans for merchants and have been qualified and pre-approved by the PCI Council. It is required that all companies submitting quarterly network scans use a company who has achieved ASV status. Note that your organization will be required to submit “clean” scans, meaning there are no failing vulnerabilities found and the scans have been attested-to by both you and your ASV. Oftentimes, organizations choose to perform their first few scans a little earlier than when the quarter ends so that any failing vulnerabilities or issues found can be remediated and a rescan performed in time.
If you need expert guidance, we stand ready to help. Please contact us at 1-800-825-3301 x 2 or click for more information.