Credit card fraud and data security breaches are serious threats in today’s technology driven, modern world. When a business accepts credit cards, there are almost always predators seeking ways to obtain data about those cards. Credit card transactions that take place either online or in person are often targeted by people seeking to illegally obtain large quantities of credit card numbers and other information.
To combat this issue, the major credit card brands, such as Visa, Mastercard, and Discover developed a security standard of best practices for merchants that are designed to better protect consumer cardholder data. This standard is known as PCI DSS, short for Payment Card Industry Data Security Standard. When a merchant meets these standards of security, they are said to be “PCI compliant.”
PCI compliance standards were first developed in 1999, but, weren’t very successful at first. Visa’s first attempt was through its Cardholder Information Security Program (CISP). There were a lot of issues with developing a standard compliance requirement in part because North American and international security guidelines were different.
Mastercard, American Express, JCB and Discover all made a similar attempt at developing a standard and failed. This was around 2001 and online activity was increasing exponentially, along with online fraudulent activity.
The five major credit cards finally came together in December, 2004, and created a comprehensive standard in merchant services and processing, called PCI DSS Version 1.0. This standard became the building block for continued improvements in data security, and more versions of PCI DSS were released. In addition, the Payment Card Industry Security Council was created as a means of managing the security standards process. As stated on their website, they are “responsible for the development, management, education, and awareness of the PCI Security Standards.”
Over the years, the process of PCI compliance has faced several obstacles, including inconsistent auditing standards and lack of merchant compliance. To deal with these issues, the Council has worked to simplify the process for merchants to obtain PCI Compliance.
Achieving PCI compliance is required for all merchants that accept payment cards. However, a “merchant level” is assigned to
each business based on it’s Visa transaction volume over a 12-month period. There are four merchant levels. For example, merchant Level 1 is described as “any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.”
The most common merchant level is level four, which applies to “any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.”
The requirements for a level four merchant include first completing a self-assessment questionnaire, which is used to validate compliance. The questionnaire used depends on the type of processing method. For instance, whether transactions are accepted in person or online or how transaction data is captured like does your business use a POS system or standard credit card terminal.
Merchants complete the questionnaire and then, if needed, obtain evidence of a passing vulnerability scan, which is completed by a PCI SSC Approved Scanning Vendor. Scanning isn’t required for all merchants. Your processor, such as Bankcard Brokers can help you determine whether you need to do the scan. Once those steps are completed and passed then an Attestation of Compliance will be completed and issued either by a Qualified Security Assessor or your businesses internal auditing department. The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment.
Once these steps are completed these items are provided to the acquirering, or processing, bank. Your credit card processor is held by the card brands to encourage, educate, and confirm merchant compliance or be fined by the card brands.
As your processor, Bankcard Brokers can help you with any PCI compliance questions. Contact Bankcard Brokers today for all your merchant services needs!