Payment Card Industry compliance refers to a specific grouping of standards that have been set up to help ensure that customer data is being secured uniformly throughout the industry. MasterCard, Visa, Discover, and American Express set up the Payment Card Industry Security Standards Council over 13 years ago in 2006 with a view to helping regulate the credit card industry and maintain the Payment Card Industry standards to hopefully improve the security of transactions and payments.
Why Do I Need PCI Compliance for My Business?
Any business, no matter how big or small and regardless of transaction volume, needs to be Payment Card Industry compliant if they’re accepting payments from credit and debit cards. To be more specific, any company that will be storing, transmitting, or processing credit card information is legally required to be Payment Card Industry compliant. Should a data breach occur, any company that is not fully Payment Card Industry compliant will be subject to steep fines by the Payment Card Industry Security Standards Council. When it comes to smaller-sized businesses, being Payment Card Industry compliant will lessen any liability for your business in the event of a data breach occurring.
How Do I Become PCI Compliant?
In order to become fully Payment Card Industry compliant, a yearly self assessment questionnaire must be completed, along with a quarterly Payment Card Industry security scan which must be passed.
The self assessment questionnaire will include a series of questions that have been designed to assess Payment Card Industry security levels, and depending on how a business is to deal with their payment processing, they will fall into one of several categories.
Additionally, by finding a payment processor that will provide Payment Card Inquiry compliant payment processing, you can ensure that all of your business’ credit card transactions will be secure.
The different types of Self Assessment Questionnaires break down as follows:
A: Card-not-present merchants for whom all cardholder data functions have been outsourced to validated third party service providers with no cardholder data stored, processed or transmitted on the merchant’s systems or premises.
A-EP: Online merchants for whom all payment processing data is outsourced to validated third parties, and who don’t receive any cardholder data through their website, but can, however, impact the transaction’s security. No cardholder data is stored, processed or transmitted on the merchant’s systems or premises.
B: Merchants who only use standalone dial out terminals with no electronic cardholder data storage and/or imprint machines with no electronic cardholder data storage.
B-IP: Merchants who use only standalone terminals that are PTS approved, with an IP connection to the payment processor, and with no electronic cardholder data storage.
C-VT: Merchants manually entering single transactions at a time with a keyboard into a validated third party virtual terminal solution. No electronic storage of cardholder data.
C: Merchants with online payment application systems and no electronic storage of cardholder data.
P2PE-HW: Merchants with hardware only payment terminals, with no electronic storage of cardholder data.
D (Merchants): All merchants not covered by any of the above
D (Service providers): All service providers a payment brand has defined as eligible to complete a self assessment questionnaire.