The PCI Security Standards Council has made compliance fairly easy by dividing it into four basic levels. Figuring out where you fit in isn’t difficult either.
Level 4: Level 4 is for small businesses processing less than 20,000 eCommerce transactions and less than 1 million other transactions each year. Level 4 businesses are required to complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
Level 3: This level focuses on medium sized companies that range between 20,000 to 1 million transactions annually. These businesses must complete an annual risk assessment using the appropriate SAQ. PCI scans administered by an approved scanning vendor, may also be required on a quarterly basis.
Level 2: Level 2 companies execute anywhere from 1 million to 6 million transactions annually. They must take a risk assessment each year using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
Level 1: Major corporations and “big box” stores are level 1 businesses that have a minimum of 6 million transactions per year. These companies must have an annual internal audit conducted by a qualified PCI auditor. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
When an organization completes a PCI scan, risk assessment or an internal audit, there are 12 control objectives that are being evaluated and delineated in the DSS. As one author I recently read coined the phrase “The Digital Dozen” aren’t a mystery…they are actually straightforward:
Network Security: To protect cardholder data you will need to install and maintain firewalls in your web applications. Additionally, you’ll want to create original system passwords and other security parameters a.k.a. do not use vendor-supplied defaults.
Data Protection: Protect stored cardholder data and encrypt all transmissions of cardholder data.
Vulnerability Management: Here you will want to develop and maintain secure systems and applications. Furthermore, regularly update the anti-virus software on all of your systems as well.
Access Control: This touches on restricting business access to cardholder data on a “need-to-know” basis. Also, restrict physical access to cardholder data and assign a unique ID to each person who has a computer.
Monitoring and Testing: You will certainly want to regularly test security systems and processes. Track and monitor all access to network resources and cardholder data.
Information Security: Put into place a policy that addresses information security and maintain it.
In closing, the ins-and-outs of the payment processing industry can get heavy for many people. Trying to decipher the complexities of different fees coupled with industry jargon can be a daunting task to say the least. Not to mention the well-known bait-n-switch tactics that are associated to the industry of ‘shady fees’. With such a positive lead in, I felt it prudent to let you know that if you do your due diligence, the information you need is out there to empower yourself with the knowledge to be compliant and also get the best rates for you and your business. Question those fees and challenge the answers you get because “unpacking” what is buried in your billing statements from your processor for your merchant account is crucial in protecting your bottom line.
Here are a couple of links to sites that I found to be very informative yet written in layman terms: