Over the last few years, despite ever more rigorous PCI compliance requirements, there has been a notable increase in data breaches. Large companies such as Target and Home Depot have been hacked and information about transactions and customers has been stolen.  However, the problem of data theft isn’t limited to large companies. Small businesses have also been subjected to data breaches at an alarming rate. These breaches may not make headlines, but the number of instances is significant.  As a matter of fact small business data breaches far exceed the damage done from breaches that make the headlines.  This is mostly due to the fact that most small businesses have significantly less stringent customer information security protocols so the information that criminals are able to extract is much more valuable.  The issue has been prevalent enough for Visa, with the support of the PCI DSS (Payment Card Industry Data Security Standards), to issue new requirements for some merchants. Beginning on January 31, 2017, merchants who have been designated as a “level 4 merchant” must meet new security requirements in order to accept credit card transactions.

Who is a level 4 Merchant?

First of all, it is important to understand who is subject to the new requirements, as the changes aren’t applicable to all merchants. A level 4 merchant is a smaller business who processes up to one million Visa transactions each year. It is the smallest of the “tiers” that Visa uses to rank merchants; however, level 4 merchants represent over 90% of merchants that accept credit cards in the United States. They account for a huge portion of the credit cards payments accepted each year.

Merchants Excluded from the new PCI Compliance Requirements

Some merchants are excluded from these new PCI Compliance requirements.  Merchants who do not have to comply with these requirements include those who do not have internet connectivity and accept credit cards via a “dial up” credit card terminal and who do not use a third party for point of sale application or terminal installation.

What are the New PCI Compliance Requirements?

In an effort to fight fraud Visa has established two new main requirements for level 4 merchants.

One states “acquirers must ensure that Level 4 merchants using third parties for POS application and terminal installation and integration engage only PCI QIR professionals.”  In other words if your POS provider does take the necessary steps to become a PCI QIR certified provider your ability to accept credit cards will be at risk or your merchant account provider will pass the non compliance penalties down to you.

The second PCI compliance requirements states that acquirers (credit card processors) must ensure Level 4 merchants annually validate PCI DSS compliance or participate in the Technology Innovation Program, also known as TIP.

What Exactly Do the New PCI Compliance Requirements Mean for Merchants?

It is all part of the big picture of PCI compliance. The first requirement is being put into place because some third parties who install terminals and POS applications don’t have the proper knowledge on how to protect a merchant from hackers. Many installers have the technical knowledge to create slick POS interfaces and small merchants rely on them for that expertise. However, these third party installers may not know how to best protect payment data from criminals and may not understand the specific complexities involved in the payment processing industry. Hence, beginning in January of 2017, Visa is requiring the specified merchants to use only PCI QIR professionals. This stands for Payment Card Industry Qualified Integrators and Resellers. By using someone who has been given the PCI stamp of approval, businesses will be utilizing people who have the know how to properly protect payment data and implement the technology as required by PCI compliance standards.
The second requirement pertains to annual validation of PCI DSS compliance. Acquirers will be required to show compliance with the requisite payment standards each year, but there is GOOD NEWS!  There is a way around this requirement.  Merchants who participate in the Technology Innovation Program (TIP) will not have to meet this requirement.   Participation in TIP requires merchants to process at least 75% of its Visa transactions using chip technology and also not store cardholder data after transactions have been authorized.

How to Get Started Meeting the New PCI Compliance Requirements

Merchants who need to meet these requirements should work with a CPP (certified payment professional) certified processor and simply seek a POS provider who has been certified as a PCI QIR professional with experience in meeting PCI Compliance requirements. Bankcard Brokers is a top-notch processor with a staff of Electronic Transaction Association certified payment professional agents.  They will be able to work with you and provide payment processing solutions that are in compliance with the new Visa requirements.  For the Best Merchant Service Rates and World Class Service get started today with our simplified 5 minute secure application.

View our infographic on PCI Compliance and why it is so important for retail merchants.