FAQ PCI-DSS

General Questions

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.

The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here.
PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
All merchant that stores, processes or transmits cardholder data must be compliant now. However, as a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines.

All deadline enforcement will come from your merchant bank. You may also find more information on Visa’s Website.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’).

In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level.

If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

Merchant levels as defined by Visa:
Merchant Level Description
1 Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.
* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
To satisfy the requirements of PCI, a merchant must complete the following steps:

  • Identify your Validation Type as defined by PCI DSS – see below . This is used to determine which Self Assessment Questionnaire is appropriate for your business.
  • Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
  • I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS?
All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.
We recommend following the procedures outlined in Visa’s” What to Do If Compromised Visa Fraud Control and Investigations Procedures” document. Link below.
Source : GIE-CB