What You Must Know about PCI Compliance before July 2010
It is no
secret that identity theft is becoming a growing concern among
businesses and consumers alike. Every day, there are new reports of the devastating effects a
breach of personal information can have on its victims.
Recognizing this burgeoning threat, the
United States government passed federal laws called the Fair and
Accurate Credit Transactions Act of 2003 (FACTA). This detailed Act tackles many issues that revolve around
identity theft from prevention and credit history restoration to credit
report access.
Since
that time, identity theft has continued to pose a major threat to
consumers. In response to
this growing problem, the major credit card brands
Visa®, MasterCard®. American
Express® and Discover® came together to
put into place a set of standards that all businesses are required to
follow in order to maintain a secure environment for their
customers’ credit card information. These standards, now known as PCI Compliance (Payment Card
Industry Compliance), require all businesses to be compliant by July
2010.
If your
business takes credit cards, this may leave you with the obvious
question, “How do I know if I am PCI Compliant?”
Though PCI
Compliance may seem complicated, there are five basic steps your
business should follow in order to ensure compliance.
Step 1: Determine Your Merchant Level
First,
you must know your merchant level. The merchant level is determined by the number of credit card
transactions the business processes per year. (Note: This is the number
of transactions, not the dollars of sales revenue.) Based on this
number, there are four levels:
Level 1 –
Businesses that have 6 million or more in Visa® and
MasterCard® transactions per year.
Level 2 –
Businesses that have between 1-6 million transactions per
year.
Level 3 –
Business that have 20,000 to 1 million Visa® and MasterCard®
e-commerce, or Web transactions per year.
Level 4 –
Businesses with Web transactions that total up to 20,000 per year, and
all other businesses regardless of how they accept cards, processing up
to 1 million transactions per year.
The large
majority of business owners will fall under level 4, which is the level
being addressed in this article.
Step 2: Identify your Validation Type and which Self-Assessment
Questionnaire your Business needs to Complete
Your validation
type is determined by the method you use to accept credit card payments.
To find your validation type and get a copy of the corresponding SQA
questionnaire for your business, visit www.pcisecuritystandards.com.
Step 3: Complete the Self-Assessment Questionnaire
Now that you
know your validation type and have the correct questionnaire, step three
is simply to follow the instructions provided on the questionnaire and
complete it. Many processors may have an online tool to help you
complete the process, so it may be to your advantage to check with your
processor before completing this step.
Step 4: Determine If Your Business is Required to Pass a
Vulnerability Scan
This step
is required for businesses that electronically store cardholder
information or have processing systems that have Internet
connectivity. Generally
speaking, this would refer to businesses that have a Web site capable of
accepting credit cards through a payment
gateway.
If you
do, you need to have a quarterly security scan performed by a PCI SSC
Approved Scanning Vendor, or ASV. Your processor most likely has made arrangements with an ASV so
you don’t have to search one out yourself.
Step 5: Complete an Attestation of Compliance
Once
you’ve completed the appropriate questionnaire, if your processor
requires it, you may need to complete and submit an Attestation of
Compliance, which is located within the questionnaire (found at www.PCIsecuritystandards.org).
In review, your
business will need to submit the SAQ questionnaire, evidence of a
passing scan (if applicable), and the Attestation of Compliance, along
with any other requested documentation to your acquirer or processor.
This is something you may have to do every year, but your processor
might have put into place some tools to help you complete the
documentation more easily.
Still have
questions? We understand. We recommend you call your processor or
PTDA’s member benefit and approved payment-processing provider,
Solveras Payment Solutions, at 800-613-0148 or visit them on the Web at
www.solveras.com/ptda.
|
