PCI Compliance as it Relates to Taking Online Payments
Any organization that accepts, transmits or stores any cardholder data, must be PCI Compliant. So, first of all, what is PCI Compliance? PCI Compliance is a set of security standards designed to protect against security breaches. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies, no matter what size, that accept, process, store and transmit credit card information, maintain a secure environment. The companies and brands are responsible for enforcing their own compliance, not the PCI Council. To be sure that your organization is compliant, you can refer to the PCI DSS documents on the PCI Security Standards Council website at:
What are PCI Compliance Levels?
Each credit card brand has their own umbrella compliance program which focuses on the number of transactions for their credit card alone. To make matters more confusing, credit card companies differ in their level definitions and compliance validation submission requirements.
Here is an example of the PCI Compliance Levels set up by Visa and Mastercard:
There are four levels of levels of PCI Compliance according to credit card companies Visa and Mastercard. These levels are determined by the volume of transactions per year. The levels are:
– PCI Compliance Level 1 – Any merchant, regardless of acceptance channel, that processes over 6 million Visa and/or Mastercard transactions per year.
-PCI Compliance Level 2 – Any merchant, regardless of acceptance channel, that processes 1 million to 6 million Visa and/or Mastercard transactions processed per year.
– PCI Compliance Level 3 – Any merchant processing 20,000 to 1 million Visa and/or Mastercard e-commerce transactions per year.
– PCI Compliance Level 4 – Any merchant processing less than 20,000 Visa and/or Mastercard e-commerce transactions per year or all other companies that process up to 1 million Visa transactions per year.
Once you figure out what level you are, you can determine what you are responsible for in providing to the bank in order to show compliance validation.
(More information at www.onlinetech.com )
What is the definition of “Merchant”?
According to the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of the five members of PCI DSS ( American Express, Visa, Mastercard, Discover Card or JCB) as payment for goods and/or services.
A merchant that accepts credit or debit cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.
What constitutes a “Service Provider”?
The definition of a “Service Provider” according to the PCI SSC is: “A business entity that is not a payment brand, directly involved in the processing. storage or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.”
Does PCI Compliance apply to small business and home businesses as well?
Yes, businesses operated out of your home and other small businesses must also be PCI Compliant if they fall under one of the four levels of PCI Compliance.
Home businesses should also be more aware of hackers because they usually don’t have the same level of protection as larger merchants, service providers and companies.
What are “SAQs”?
The PCI DSS self-assessment questionnaires or SAQs , are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment. To help you identify which SAQ best applies to your organization check the website below to find the different SAQ types:
What are the penalties for non-compliance?
The payment companies may fine an acquiring bank or website $5,000 to $100,000 per month for PCI Compliance violations. The banks can then pass this fine along until it eventually hits the non-compliant merchant. Banks may also increase fees or actually terminate a relationship if the non-compliance continues. Penalties usually will not be made public.
Action Step for you…
Ask your current portal company. “ Are you PCI Compliant?”
And then asks to see the certification.
We hope this article better helped understand PCI Compliance at it relates to taking online payments. If you need any further assistance with your payment portal don’t hesitate to reach to us.