FIS Modern Banking Platform
Advance your bank with a modern core platform.
July 30, 2019
All entities that process, store or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate from the card brands. While PCI compliance levels vary, compliance is mandatory for any business that accepts credit card payments.
PCI offers a tangible framework for merchants to identify and address payment card data threats and vulnerabilities that could lead to a breach. It holds merchants accountable for securing their business environment and for business policies (or lack thereof) and employees’ actions that lead to a data breach.
The PCI council isn’t equipped to check into every business to make sure PCI regulations are being met, but the consequences of non-compliance can be grave. If a breach occurs and it’s determined that the business was not compliant at that moment, it will face hefty fines and fees as well as reputational damage and customer attrition.
There are 12 over-arching requirements for PCI compliance:
There are four levels, or tiers, of PCI compliance that merchants are organized under based upon their card transaction volume (credit, debit, and prepaid) over a 12-month period. If a merchant suffers a breach that results in account data compromise, they may be escalated to a higher level of compliance.
Read on to identify which PCI compliance level applies to your business as for July of 2019, and the steps you may need to take to achieve compliance.
Level 1 merchants process over 6 million card transactions annually through all channels (card present, card not present, eCommerce). Also, any global merchant that processes a total of 6 million transactions across all regions may cause the entire business to qualify.
Merchants who are considered Level 1 must do the following:
Level 2 merchants process 1 to 6 million card transactions annually through all channels (card present, card not present, eCommerce.)
Merchants who are considered Level 2 must do the following:
Level 3 merchants process 20,000 to 1 million card transactions annual exclusively via eCommerce processing methods.
Merchants who are considered Level 3 must do the following:
Level 4 merchants process up to 1 million card transactions annually through all channels (card present, card not present, eCommerce) and do not process more than 20,000 card transactions annually exclusively via eCommerce. Alternatively a merchant processing less than 20,000 card transactions annually exclusively via eCommerce will qualify for Level 4 status.
Merchants who are considered Level 4 must do the following:
Merchants can determine their PCI compliance level by consulting their merchant services provider or using their provider’s reporting tools. Level 1-3 merchants have more complex compliance requirements because of the size and nature of their business. They are also more likely to have internal IT and compliance teams to implement and monitor their compliance programs.
Most merchants who identify as small- or medium-sized businesses fall under the level 4 category. While the compliance requirements may be somewhat simpler, these merchants often find it more challenging to meet the requirements if they not have internal IT infrastructure.Fortunately, providers like Worldpay offer PCI compliance assistance products that make the process more affordable for Tier 4 merchants.
The SAQ a merchant must complete depends upon how they accept card payments. For example, SAQ-A applies to card-not-present (eComm or MOTO) merchants that do not store, process, or transmit cardholder data on their systems of premises. Merchants that use a standalone, dial-out terminal and have no electronic data storage need to complete SAQ-B. Contact your payments provider or refer to the PCI SSC if you are unsure about which form to complete.
PCI compliance is not a one-time event— it requires ongoing effort. As a business owner, much of this effort rests on you. Focusing only on an annual compliance assessment can create a false sense of security. According to the deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date.
Once you’ve achieved compliance, it’s important to implement practices to maintain your compliant status. Here are some things you can do:
The ability to accept card payments is a privilege, not a right. Achieving and maintaining PCI compliance is the best way to protect your business and your right to accept card payments.
Let's work together to reach your goals. Contact us at the links below and a representative will be in touch.
We are here to help you and your business. Contact us using the button below.Learn more