PCI Compliance for Merchants

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

No matter what size the operation is, every merchant that processes, transmits or stores credit card data must have their PCI compliance validated each year. Whether you are a traditional "brick and mortar" merchant, a Web-based merchant, or both, understanding which PCI compliance level applies to your business is essential to assure that your PCI compliance validation will go smoothly.

 

To further complicate things, the process for merchants must adhere to the payment card brands’ individual requirements and definitions of PCI compliance. Even though the PCI Security Standards Council developed these standards, compliance is mandated individually by the unique payment card brands: Visa, MasterCard, American Express, Discover, and JCB International.

 

Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year.

 

Please see the following table to determine your merchant level:

 
Merchant Level
American Express
Discover
JCB
MasterCard
Visa, Inc.
1
Merchants processing over 2.5 million American Express card transactions annually or any merchant that American Express otherwise deems a Level 1.
Merchants processing over 6 million card transactions annually on the Discover Network.
 
Any Merchant Discover determines to be a Level 1.
 
Merchants that have experienced an account data compromise
 
Merchants required by another payment brand to validate and report as a Level 1.
Merchants processing over 1 million JCB International transactions annually, or compromised merchants.
Merchants processing over 6 million total combined MasterCard and Maestro transactions annually.
 
Merchants that have experienced an account data compromise.
 
Any merchant that MasterCard deems a Level 1.
 
Any merchant meeting the Level 1 criteria of Visa.
Merchants processing over 6 million Visa transactions annually (all channels), or global merchants identified as Level 1 by any Visa region.
2
Merchants processing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems a Level 2.
Merchants processing 1 million to 6 million card transactions annually on the Discover network.
Merchants processing less than 1 million JCB International transactions annually.
Merchants with greater than 1 million but less than or equal to 6 million total combined MasterCard and Maestro transactions annually.
 
Any merchant meeting the Level 2 criteria of Visa.
Merchants processing 1 million to 6 million Visa transactions annually (all channels).
3
Merchants processing less than 50,000 American Express transactions annually.
Merchants processing 20,000 to 1 million card-not-present only transactions annually on the Discover network.
N/A
Merchants with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to 1 million total combined MasterCard and Maestro ecommerce transactions annually.
 
Any merchant meeting the Level 3 criteria of Visa.
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
4
N/A
All other Discover Network merchants
N/A
All other MasterCard merchants
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
 
 
PCI DSS Solutions for Merchants
 

On-site QSA Validation Service for Level 1 and Level 2 Merchants – Our annual on-site QSA Validation service for Level 1 and 2 merchants provides a total solution, including determination of project scope, vulnerability scanning, penetration testing, GAP analysis, remediation services, followed by the final Report on Compliance (ROC).  For specific pricing information, please call us at 866-735-3369 or fill out our “Contact Us” page and an auditor will call you promptly.

 

PCI DSS Self-Assessment Validation Service for Level 3 and Level 4 Merchants – Our PCI DSS validation for Level 3 and Level 4 merchants includes a PCI Self-Assessment Questionnaire (SAQ) and, if necessary, a PCI approved scanning vendor (ASV) vulnerability scanning service. Whether you are required to fill out an SAQ, or have an ASV vulnerability scan, or both, the cost of this service is only $45 per year. If you need an ASV vulnerability scan, this price includes scanning for up to six public IP addresses and unlimited remediation scans. If you have more than six public IP addresses that require ASV scanning, additional blocks of six IP addresses are available for $45. To get started now, please click here

 

The SAQ is a validation tool is for eligible merchants and service providers who assess their own PCI DSS compliance and who are not required to submit a Report On Compliance.  Different SAQs are available for various business environments as detailed below.  For compliance, the SAQ includes a series of "yes" or "no" questions AND when answering "no," the organization must state the future remediation date and associated actions.

 

To align more closely with merchants and their compliance validation process, the SAQs provide flexibility based on the complexity of particular merchant environments (see chart below). The PCI DSS Self-Assessment Questionnaire Guidelines and Instructions document provides more details on each SAQ type, as follows:

 

SAQ A

This form is for Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels

 

SAQ A–EP

This form is for Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.

 

SAQ B

This form is for merchants using only:

  1. Imprint machines with no electronic cardholder data storage; and/or
  2. Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.

 

SAQ B-IP  

This form is for merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.

 

SAQ C-VT

This form is for merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.

 

SAQ C 

This form is for merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.

 

SAQ P2PE-HW

 

This form is for merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels

 

SAQ D

This form is for merchants that are not included in descriptions for the above SAQ types.

 

Approved Scanning Vendor (ASV) Vulnerability Scanning Service – Irrespective of merchant levels, to comply with PCI DSS, organizations must practice a thorough approach to the IT phenomenon known as patch and vulnerability management. A patch is an update to existing software that adds functionality or corrects a defect, and a vulnerability is a "flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system." Therefore, patch and vulnerability management refers to the management of functionality additions or corrections of software defects that address vulnerabilities in the software used to process credit card data. In addition to undergoing annual PCI compliance, a business that processes online cardholder data must present quarterly network perimeter scan results to its processor.

 

The cost of 1st Secure IT's quarterly ASV vulnerability scanning service is only $45 per year and provides tools that accurately and efficiently evaluate internet security while assessing and remediating vulnerabilities. The price includes scanning for up to six public IP addresses and unlimited remediation scans. If you have more than six public IP addresses that require scanning, additional blocks of six IP addresses are available for $45. To get started now, please click here.

 

If you need help getting started... Contact Us!