Total Web Solutions Home | About Us | Site Map | Reviews | Contact Us | Login 
PCI Compliance

PCI DSS Compliance for Merchants

Introduction

If you are a merchant that accepts (or plans to accept) Credit and/or Debit cards then you will need to become PCI (Payment Card Industry) compliant. Chances are at some point you will have or will shortly receive communication from your acquiring bank (the organisation that provides you with your merchant account) requesting you to confirm that your business is PCI compliant.


What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standards) is a set of requirements enforced by the PCI Security Standards Council, created specifically to protect Credit and Debit card data as well as enhancing and encouraging awareness of the standards.


How does PCI compliance work?

Depending on how you process your card payments and the size / type of your business you will either need to become PCI compliant yourself by completing an annual Self-Assessment Questionnaire (SAQ) to show that you use a compliant solution, or instruct a QSA (Qualified Security Assessor) to assist in attaining PCI compliance status.


What is an SAQ (Self-Assessment Questionnaire)?

The Self-Assessment Questionnaire is a validation tool that can be used by merchants to show to their acquiring bank that their business is PCI compliant (or at least demonstrate that the business is working towards compliance). There are several different questionnaires to complete, all of which can be downloaded here.


Which SAQ should I be completing?

The exact requirements for your own compliance level will need to be determined by your acquiring bank but the following table will give you an idea based on how you process card payments:

SAQ Type Description
A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Not applicable to face-to-face channels.
A-EP* E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.
B Merchants using only:
• Imprint machines with no electronic cardholder data storage; and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
B-IP* Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
D All merchants not included in descriptions for the above SAQ types.


What is a QSA (Qualified Security Assessor)?

A QSA is an Information Security Consultant who has been certified (and trained) by the PCI Security Standards Council to carry out onsite security assessments for larger businesses (or businesses that process credit and debit cards directly from their website).


What do I do when I have completed the SAQ?

Once you have completed your required assessment it will be up to your acquiring bank (or their chosen compliance provider) to determine if you meet the compliance requirements or not. Most will have an online tool (Compliance Management Service) for you to submit your SAQ and / or network scanning results so that you can get instant confirmation on whether you have passed or not (or an email address to send these to).


What if I fail PCI compliance or don't complete the SAQ?

If you have completed the SAQ and / or internal assessment and have not met the required compliance level then you will be given the opportunity to rectify any deficiencies in your systems so that you can continue the certification process or apply again. Your assessor or compliance provider will advise you on the areas that you have failed in and give you advice on how to improve your systems in order to become compliant.


What level PCI compliance do I require?

Below are examples of various types of card processing, which should help you ascertain which category you fall into:


How can Total Web Solutions help me with PCI compliance?

Total Web Solutions was one of the first UK companies to achieve and maintain PCI Level 1 accreditation and as such we have many years experience in this area. If you are struggling to complete any of the questionnaires, Total Web Solutions may be able to assist you by providing some of the information needed. Please contact the Sales team if assistance is required. Alternatively, you can use a PCI Compliance provider to conduct your requirement level checks and carry out your SAQ.