PCI DSS Compliance for Merchants
If you are a merchant that accepts (or plans to accept) Credit and/or Debit cards then you will need to become PCI (Payment Card Industry) compliant. Chances are at some point you will have or will shortly receive communication from your acquiring bank (the organisation that provides you with your merchant account) requesting you to confirm that your business is PCI compliant.
Failure to confirm compliance, or being in breach of PCI rules, can result in fines and / or suspension of your merchant account so it is imperative that you understand the procedure to becoming compliant. These fines can be substantial depending on the breach and could also result in you or your business being prohibited from using merchant services in the future. We have laid out some guidelines for you, as a merchant, to becoming compliant.
The information contained in this guide is provided without warranties and is purely for helping you to understand the compliance requirements. The exact requirements for your compliance level can only be determined by your acquiring bank or the card brands themselves. Your acquiring bank should also have their own compliance guide either on their website or available on request from the banks merchant services department.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standards) is a set of requirements enforced by the PCI Security Standards Council, created specifically to protect Credit and Debit card data as well as enhancing and encouraging awareness of the standards.
The council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. It is mandatory for all businesses that accept Credit and Debit cards as a method of payment to become PCI compliant.
How does PCI compliance work?
Depending on how you process your card payments and the size / type of your business you will either need to become PCI compliant yourself by completing an annual Self-Assessment Questionnaire (SAQ) to show that you use a compliant solution, or instruct a QSA (Qualified Security Assessor) to assist in attaining PCI compliance status.
Your acquiring bank will recommend their chosen compliance provider (a QSA such as Security Metrics or TrustKeeper) in order to ascertain which PCI Level is applicable to your organization and which SAQ you will need to complete. You do not have to choose the acquirer’s recommended QSA, you can source your own as long as they are approved by the PCI DSS (see ‘What is a QSA’) There are four main levels of PCI compliance required by each of the card brands and you will need to check with each of them or consult your acquiring bank as to which category you fall into but as an example Visa’s definition is shown below:
What is an SAQ (Self-Assessment Questionnaire)?
The Self-Assessment Questionnaire is a validation tool that can be used by merchants to show to their acquiring bank that their business is PCI compliant (or at least demonstrate that the business is working towards compliance). There are several different questionnaires to complete, all of which can be downloaded here.
To determine which SAQ you will need to complete (A-D) please refer to the table below. If further clarification is required you should contact your acquiring bank as ultimately it will be the bank that approves your compliance.
Which SAQ should I be completing?
The exact requirements for your own compliance level will need to be determined by your acquiring bank but the following table will give you an idea based on how you process card payments:
What is a QSA (Qualified Security Assessor)?
A QSA is an Information Security Consultant who has been certified (and trained) by the PCI Security Standards Council to carry out onsite security assessments for larger businesses (or businesses that process credit and debit cards directly from their website).
Depending on how you process card payments will depend on the need for a QSA to be instructed as shown in the examples to follow. Your acquiring bank (or compliance provider) should advise you depending on the results of your initial assessment as to whether a QSA is required or not. A list of approved QSA’s can be found here should you wish to use your own QSA for your PCI assessment.
What do I do when I have completed the SAQ?
Once you have completed your required assessment it will be up to your acquiring bank (or their chosen compliance provider) to determine if you meet the compliance requirements or not. Most will have an online tool (Compliance Management Service) for you to submit your SAQ and / or network scanning results so that you can get instant confirmation on whether you have passed or not (or an email address to send these to).
Once you have been confirmed as compliant you will receive an annual PCI Compliance certificate for your business. Your PCI Compliance certificate will look something like this. *Remember, PCI compliance is an ongoing requirement and therefore the SAQ / internal assessment will need to be completed on an annual basis as well as any ongoing network scanning requirements.
What if I fail PCI compliance or don't complete the SAQ?
If you have completed the SAQ and / or internal assessment and have not met the required compliance level then you will be given the opportunity to rectify any deficiencies in your systems so that you can continue the certification process or apply again. Your assessor or compliance provider will advise you on the areas that you have failed in and give you advice on how to improve your systems in order to become compliant.
Compliance with the PCI DSS means that your payment systems are secure and customers are more likely to trust you when it comes to them giving their credit or debit card details either online or over the phone. Compliance also improves your reputation (as a business) with acquiring banks and card brands.
If you are NOT compliant then the consequences of ignoring the standard could be significant. Initially, your acquiring bank will charge you non-compliance fees on a monthly basis and further refusal to show compliance could result in your merchant account (or accounts if you have several) being suspended or even deleted. Coupled with this, a security breach of card data, as a non-compliant merchant, will likely result in significant fines from the card brands, ranging from a minimum of $10,000 to unlimited. You could also face suspension or a total ban from using merchant services in the future. There is also the possibility of lawsuits and insurance claims for any breach resulting in the loss of sensitive data.
What level PCI compliance do I require?
Below are examples of various types of card processing, which should help you ascertain which category you fall into:
Q.The website collects and stores card data for me to put into my countertop/portable/mobile card terminal at a later time. Do I need to become compliant?
A.If you store or handle card data directly as a merchant then you will need to become PCI compliant and as such you will need to undergo internal security assessments and scans on a regular basis.
Q.I use Total Web Solutions to handle my website payments for me. Do I need to become compliant?
A.If you are using the Total Web Solutions PayPage to handle your card transactions and nothing else (i.e. countertop / portable / mobile terminal / virtual terminal or API) then you should not need to undergo PCI compliance but instead inform the acquirer (or their chosen compliance provider) that you outsource all card processing to Total Web Solutions. However, depending on the requirements of your acquirer they may still ask you to complete a Self Assessment Questionnaire (SAQ).
Q.I use Total Web Solutions to handle my MOTO (Mail Order / Telephone Order) card payments for me. Do I need to become compliant?
A.If you only process transactions via the Total Web Solutions Virtual Terminal - when a customer either calls, faxes or posts their card details to you - then you will need to complete Self Assessment Questionnaire C-VT (SAQ) – if you also use Total Web Solutions to process your website payments then Self Assessment Questionnaire C (SAQ) should be completed instead.
Q.I use an API to collect and pass through card data in order to process payments. Do I need to become compliant?
A.If you are using an API for direct card data processing you will need to undergo a formal onsite security assessment. This will need to be carried out by a Qualified Security Assessor (QSA). You will also require quarterly network / server scans by an Approved Scanning Vendor (ASV) as well as an annual SAQ. A list of ASV’s can be found here. Proof of your PCI compliance level will need to be provided before access to the Total Web Solutions API Suite is granted. See Corporate Services for more details.
To avoid the expense and time of having to become high level compliant yourself we would recommend using the Total Web Solutions PayPage and / or Virtual Terminal for your card processing needs.
How can Total Web Solutions help me with PCI compliance?
Total Web Solutions was one of the first UK companies to achieve and maintain PCI Level 1 accreditation and as such we have many years experience in this area. If you are struggling to complete any of the questionnaires, Total Web Solutions may be able to assist you by providing some of the information needed. Please contact the Sales team if assistance is required. Alternatively, you can use a PCI Compliance provider to conduct your requirement level checks and carry out your SAQ.
Your acquiring bank may well recommend a provider for you but you can of course shop around for this yourself. Please note: using a PCI Compliance provider will involve charges for the compliance which depend on how much work is involved for the QSA. Expect charges to be upwards of £80+VAT per annum for a level 4 merchant and more for higher level PCI merchants.
Using Total Web Solutions PayPage for your online transaction processing not only saves you time and money but also ensures that your transaction processing is as secure as possible. This also means that you do not have the expense and headache of maintaining high level PCI compliance yourself.
Find out more about our PCI Compliant Payment Services.