The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process or transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
According to the PCI Security Standards Council, there are 12 PCI compliant requirements that meet a variety of security goals. These goals are: Building and maintaining a secure network, protecting card holder data, maintaining a vulnerability management program, implementing strong access control measures and maintaining an information security policy. Here's your guide to the four different levels of PCI compliance as mandated by the major payment card brands, Visa and Mastercard, as well as action items for each:
Level 1: Your company has over 6 million Visa and/or Mastercard transactions processed per year. This level requires yearly on-site reviews by an internal auditor, and a network scan by an approved scanning vendor (ASV).
Level 2: You have 1 million to 6 million Visa and/or Mastercard transactions processed per year. You must complete a Self-Assessment Questionnaire (SAQ) annually, and this level requires a network scan with an approved scanning vendor.
Level 3: Your company has 20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year. You must complete a Self-Assessment Questionnaire (SAQ) annually, and this level also requires a network scan with an approved scanning vendor.
Level 4: You have less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.
Now, how do you know which SAQ (Self-Asssessment Questionnaire) to fill out? You need to find which merchant type best fits your company profile:
A: E-commerce, mail or telephone order merchants that do not store cardholder data (CD). All cardholder data functions are outsourced. This does not include face-to-face merchants.
B: Merchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants.
C-VT: Web-based virtual terminal merchants that do not store electronic cardholder data.
C: Merchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance.
D: This includes all of the other merchants that aren't included in the above categories, including all service providers defined as eligible to complete a SAQ and approved by a payment brand.
By narrowing down what level and type of merchant you are, you're well on your way to becoming PCI compliant!