After a slew of massive data breaches, information security is more important than ever. This is where the concept of PCI compliance comes in. Otherwise known as the Payment Card Industry Data Security Standard, or PCI DSS, this concept is a security standard for proprietary information that applies to any business that stores, processes or transmits credit card information from major card companies like Visa, Discover, MasterCard, JCB or American express.
The standard contains a number of security requirements which are meant to regulate how your POS is set up, how you handle customer information, and how to secure your connection, among others. This means that simply not storing credit card data does not makes you PCI compliant.
Is PCI compliance mandatory?
PCI compliance is not required by federal law in the US, but there are some state level laws that refer to PCI compliance. For example, you have the state of Nevada which makes PCI compliance mandatory, and which shields PCI compliant companies from liability. The state of Washington on the other hand does not mandate compliance, instead offering only protection from liability for companies that are PCI compliant. However, your Credit Card Company or merchant bank will generally require your business to be PCI compliant.
Becoming PCI compliant
Compliance is split across several levels, with different credit card companies recognizing a different number of levels with different requirements. For example, MasterCard has five compliance levels, while Visa has only four. Each level corresponds to the size of your business (which is measured in transactions).
Once you’ve figured out which level you have to attain, based on information gathered from each credit card company you work with, it’s time to move on to the documentation you’ll need on your way to compliance. This is where the Self-Assessment Questionnaire (SAQ) comes in.
This questionnaire has 12 requirements that are split into six categories, and they range from installing and maintaining a firewall to tracking and monitoring all access to cardholder data and network resources. Each one of these requirements may be further subdivided into additional sub-requirements.
There are nine different variations of the SAQ, but you will only have to comply with the SAQ that corresponds to your particular setup. For example, an eCommerce only business will use the SAQ type A, or A-EP, depending if you process all your payments through a PCI compliant third party, or if you transfer some of the payments through a PCI compliant third party, but you also have a website which accepts credit cards.
Once you’re done with the SAQ, it’s time to complete the Attestation of Compliance (AOC) document, which validates that you are compliant with the steps outlined in the SAQ. With that out of the way, all you have to do is submit the documents, and then maintain compliance through the yearly review process.
For more information on PCI compliance, or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.