PCI Compliance

PCI Compliance

PCI Compliance

(for educational purposes only)

What is PCI ?

  • Is a Standard established by the PCI SSC (PCI Security Standard Council)
  • This Council was established by Visa/MasterCard/AMEX/Discover
  • PCI is a set of 12 Requirements which are basically internal control elements to ensure heightened safety and security over the handling, storing and transmision of credit card data

Who Does It Apply To?

  • Any company/merchant that accepts credit cards (Visa/MC/AMEX/Discover)
  • Volume of transactions (e.g., low volume) or method of credit card processing (e.g., using a credit card terminal) is never a criteria for opting out of the Requirement
  • You must be in compliance now.

What do I need to do now ?

  • Read and Understand the entire PCI-DSS Standard and how it applies to your company.
  • At a minimum, to demonstrate compliance, you need to complete at least one of four Self-Assessment-Questionnaires.
  • The 4 Questionnaires (SAQs) are SAQ-A, SAQ-B, SAQ-C, and SAQ-D.
  • The criteria for which SAQ applies to you is summarized below.
  • Depending upon your specific situation you MAY need to engage a Qualified Security Assessor (QSA)

What are the PCI compliance ‘levels’ and how are they determined?

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
Merchant levels as defined by Visa:

Merchant Level Description
1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

 * Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html

Which Self-Assessment Questionnaire (SAQ) will apply to my company?

SAQ Validation Type



1 – Card Not Present Merchants. All cardholder data functions fully outsourced. SAQ-A
(Ver. 3.1)
2 – Partially outsourced E-commerce merchants using a third-party website for payment processing SAQ-A-EP
(Ver. 3.1)
3 – Merchants with only imprint machines or only standalone, dial-out terminals. No electronic storage of data. SAQ-B
(Ver. 3.1)
4 – Merchants with standalone IP-connected PTS Point-of-Interaction (POI) Terminals. No electronic cardholder data storage SAQ-B-IP
(Ver. 3.1)
5 – Merchants with payment application systems connected to the Internet. No electronic storage of data. SAQ-C
(Ver. 3.1)
6 – Merchants with web-based virtual payment terminals. No electronic storage of data. SAQ-C-VT
(Ver. 3.1)
7 – All Other SAQ-Eligible Merchants SAQ-D
(Ver. 3.1)