The PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements designed to ensure that companies involved in the processing, storing and transmitting of credit card data will maintain a secure environment all throughout. It was launched on September 7, 2006 to manage the continuous evolution of the Payment Card Industry (PCI) security standards which is focused on improving payment account security throughout the entire process.
The Payment Card Industry Security Standards Council (PCI SSC) is the one that sets and updates the standard. Major card brands such as Visa, Mastercard, Discover and American Express also set rules that require processors to be compliant, to validate their merchants, and to impose fines in case a breach occurs due to non-compliance.
PCI should be complied by all organizations or merchants, no matter the size or number of the transactions, as long as they accept, transmit or store any cardholder data. In simpler terms, the PCI DSS requirements will apply to organizations at which customers pay merchants directly through a debit card or a credit card.
The Standard can be found on the PCI SSC's Website: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Yes. As long as your business stores, processes or transmits payment cardholder data then you must be PCI Compliant.
Cards that are included in the scope for PCI include any debit, credit, and pre-paid cards that are branded with at least one of the five card association/brand logos participating in the PCI SSC. This includes American Express, Discover, JCB, MasterCard, and Visa International.
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will usually pass this fine down the line until it reaches the merchant. Additionally, the bank may either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be result to a major catastrophe to any small business.
Make sure to become familiar with your merchant account agreement.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA'). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level.
Merchant levels as defined by Visa:
|1||Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.|
|2||Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.|
|3||Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.|
* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
If your business locations process under the same Tax ID, then you may only be required to validate once annually, for all locations. You will also be required to submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV), if applicable.