PCI DSS Compliance for Merchants

Failure to confirm compliance, or being in breach of PCI rules, can result in fines and / or suspension of your merchant account so it is imperative that you understand the procedure to becoming compliant. These fines can be substantial depending on the breach and could also result in you or your business being prohibited from using merchant services in the future. We have laid out some guidelines for you, as a merchant, to becoming compliant.

The information contained in this guide is provided without warranties and is purely for helping you to understand the compliance requirements. The exact requirements for your compliance level can only be determined by your acquiring bank or the card brands themselves. Your acquiring bank should also have their own compliance guide either on their website or available on request from the banks merchant services department.

The council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. It is mandatory for all businesses that accept Credit and Debit cards as a method of payment to become PCI compliant.

Your acquiring bank will recommend their chosen compliance provider (a QSA such as Security Metrics or TrustKeeper) in order to ascertain which PCI Level is applicable to your organization and which SAQ you will need to complete. You do not have to choose the acquirer’s recommended QSA, you can source your own as long as they are approved by the PCI DSS (see ‘What is a QSA’) There are four main levels of PCI compliance required by each of the card brands and you will need to check with each of them or consult your acquiring bank as to which category you fall into but as an example Visa’s definition is shown below:

To determine which SAQ you will need to complete (A-D) please refer to the table below. If further clarification is required you should contact your acquiring bank as ultimately it will be the bank that approves your compliance.

Depending on how you process card payments will depend on the need for a QSA to be instructed as shown in the examples to follow. Your acquiring bank (or compliance provider) should advise you depending on the results of your initial assessment as to whether a QSA is required or not. A list of approved QSA’s can be found here should you wish to use your own QSA for your PCI assessment.

Once you have been confirmed as compliant you will receive an annual PCI Compliance certificate for your business. Your PCI Compliance certificate will look something like this. *Remember, PCI compliance is an ongoing requirement and therefore the SAQ / internal assessment will need to be completed on an annual basis as well as any ongoing network scanning requirements.

Compliance with the PCI DSS means that your payment systems are secure and customers are more likely to trust you when it comes to them giving their credit or debit card details either online or over the phone. Compliance also improves your reputation (as a business) with acquiring banks and card brands.

If you are NOT compliant then the consequences of ignoring the standard could be significant. Initially, your acquiring bank will charge you non-compliance fees on a monthly basis and further refusal to show compliance could result in your merchant account (or accounts if you have several) being suspended or even deleted. Coupled with this, a security breach of card data, as a non-compliant merchant, will likely result in significant fines from the card brands, ranging from a minimum of $10,000 to unlimited. You could also face suspension or a total ban from using merchant services in the future. There is also the possibility of lawsuits and insurance claims for any breach resulting in the loss of sensitive data.

Q.The website collects and stores card data for me to put into my countertop/portable/mobile card terminal at a later time. Do I need to become compliant?

A.If you store or handle card data directly as a merchant then you will need to become PCI compliant and as such you will need to undergo internal security assessments and scans on a regular basis.

Q.I use Total Web Solutions to handle my website payments for me. Do I need to become compliant?

A.If you are using the Total Web Solutions PayPage to handle your card transactions and nothing else (i.e. countertop / portable / mobile terminal / virtual terminal or API) then you should not need to undergo PCI compliance but instead inform the acquirer (or their chosen compliance provider) that you outsource all card processing to Total Web Solutions. However, depending on the requirements of your acquirer they may still ask you to complete a Self Assessment Questionnaire (SAQ).

Q.I use Total Web Solutions to handle my MOTO (Mail Order / Telephone Order) card payments for me. Do I need to become compliant?

A.If you only process transactions via the Total Web Solutions Virtual Terminal - when a customer either calls, faxes or posts their card details to you - then you will need to complete Self Assessment Questionnaire C-VT (SAQ) – if you also use Total Web Solutions to process your website payments then Self Assessment Questionnaire C (SAQ) should be completed instead.

Q.I use an API to collect and pass through card data in order to process payments. Do I need to become compliant?

A.If you are using an API for direct card data processing you will need to undergo a formal onsite security assessment. This will need to be carried out by a Qualified Security Assessor (QSA). You will also require quarterly network / server scans by an Approved Scanning Vendor (ASV) as well as an annual SAQ. A list of ASV’s can be found here. Proof of your PCI compliance level will need to be provided before access to the Total Web Solutions API Suite is granted. See Corporate Services for more details.

To avoid the expense and time of having to become high level compliant yourself we would recommend using the Total Web Solutions PayPage and / or Virtual Terminal for your card processing needs.

Your acquiring bank may well recommend a provider for you but you can of course shop around for this yourself. Please note: using a PCI Compliance provider will involve charges for the compliance which depend on how much work is involved for the QSA. Expect charges to be upwards of £80+VAT per annum for a level 4 merchant and more for higher level PCI merchants.

Using Total Web Solutions PayPage for your online transaction processing not only saves you time and money but also ensures that your transaction processing is as secure as possible. This also means that you do not have the expense and headache of maintaining high level PCI compliance yourself.

Find out more about our PCI Compliant Payment Services.