If you want to accept credit cards online, then you need to be PCI Compliant, whether your business is brand new, or your business been established for centuries.

Over the years, we’ve helped various business owners and managers to become PCI Compliant.

To those who have not gone through the PCI Compliance process, the road to having their first PCI Compliance certificate can look long, hard, and daunting.

This article is meant to take away the sting, especially for first time business owners and managers, by revealing the process of becoming PCI Compliant.

Like many things in life, gaining PCI Compliance and keeping it is a process. Let me first cover some common questions and definitions; and then we’ll get into the heart of the matter.


What is PCI?


The Payment Card Industry (PCI) Data Security Standard (DSS) was established by the major card brands including: Visa, MasterCard, American Express, Discover Financial Services, and JCB International. All business who process credit cards (merchants) are required to implement the PCI standards into their methods of processing to prevent credit card theft.


What does it mean to be PCI Compliant?


A merchant that is PCI Compliant would have successfully filled out the appropriate self assessment questionnaire (SAQ), would have a written security policy which is kept up to date, and would have had their web site scanned by an authorized PCI Compliance scanning vendor where the scan passed.


What if I have online forms or an online cart that uses a third-party processor like Authorize.net, Paypal.com, Verisign Payflow Pro, Google Wallet, or the like? If my credit card processor is already PCI Compliant, don’t I inherit their compliance?


No. While you should only be using payment processors that are PCI Compliant, their PCI Compliance does not transfer to your site and your business. Source: http://www.pcicomplianceguide.org/pcifaqs.php#8


What are the steps an owner of a web site goes through to become PCI compliant?

  1. Determine your merchant level.
  2. Determine your validation type.
  3. Complete and report an attestation of compliance and self assessment questionnaire (SAQ) annually.
  4. Complete and report results of all external vulnerability assessment scans (all public facing IP addresses used to process, view, or handle credit card data require scans) performed by an approved scan vendor (ASV) quarterly.
  5. Create and update an information security policy annually.


What is a merchant level?

The merchant level is based on transaction volume for the organization.

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of a merchant’s Visa transactions (inclusive of credit, debit and prepaid).


Level / Tier 1 Merchant Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions
annually (all channels) or Global merchants identified as Level 1 by
any Visa region 2
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor
    (“QSA”) or internal auditor if signed by officer of the company
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions
annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce
transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce
transactions annually and all other merchants processing up to 1 million
Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by acquirer

1Compromised entities may be escalated at regional discretion

2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

What is a validation type?

The Payment Card Industry classifies level four merchants into five different validation types. The following chart from the Payment Card Industry website gives an explanation of the levels:

Source: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

SAQ Type
SAQ: V1.2
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
Imprint-only merchants with no electronic cardholder data storage
Stand-alone terminal merchants, no electronic cardholder data storage
Merchants with POS systems connected to the Internet, no electronic cardholder data storage
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.


What questions can I expect to be asked on the self assessment questionnaire (SAQ)?

While the exact questions or wording of the questions may vary from assessor to assessor, the following are the types of questions you can expect to be asked:

  • What is the approximate number of credit card transactions you process per calendar year (this goes towards merchant level)?
  • What is the legal business name of the credit card processing company you are using? (i.e. authorize.net) If you are using several, you will be asked to list each one.
  • What is the legal business name of your Web hosting provider?
  • What is the name of the shopping cart you are using?
  • What is the legal business name of the data center where your servers are rented or co-located?
  • If you are using point of sale terminals, who is the legal business name of the manufacturer? What is the make and model number?
  • If you are using a payment application what is the legal business name of the payment application vendor? What is the name of their software? What version of the software are you using?


What is a PCI Compliance scan?


A PCI Compliance scan involves a scanning vendor running a series of tests from one or more of their servers against your web site, and the server hosting your web site.

The tests are meant to ascertain whether or not your site is easy to hack. Please note since any device can be hacked, passing a PCI Compliance scan doesn’t mean uncrackable; it just means the site is harder to hack as compared to sites which are not PCI compliant.

Only the results of an approved scanning vendor count, so you will want to be sure the vendor you or your bank pick is an approved scanning company.

While we work with a number of approved scanning vendors, we recommend SecurityMetrics.com; they are small business friendly, and tend to be easier to work with compared to other scanning vendors.


What is an information security policy?


An information security policy is a written document that you should create and maintain which covers your organization’s policies and procedures for handling of information.

While there are a number of places where you can purchase document templates (200+ pages), SANS has a number of free ones available at http://www.sans.org/security-resources/policies/internet.php

If you search on “Information Security Policy Template” (including the quotes) in Google, you might be pleasantly surprised to find PDF versions of a number of organizations that you could use as a guideline.


By now, you might be feeling overwhelmed; and, you might be thinking, does it have to be this hard?

The process of getting and keeping PCI Compliance can be overwhelming IF you try to eat it in one bite; break down the process into easier to eat bites, and it is not that difficult.

PCI Compliance is a dance between multiple dancing partners. Let’s start breaking down the process by looking at each party, and who is responsible for what steps.

Here are the parties and pieces involved in the dance:

  • The merchant — you.
  • The hosting provider.
  • The ecommerce application (i.e. shopping cart) being used.
  • The payment gateway (i.e. authorize.net) being used.
  • Your web site in terms of any forms and other applications you have installed on the site.
  • The approved scanning vendor.
  • Your bank.
  • Potentially, a PCI Compliance company that acts as a holding company for information on your compliance (i.e. Trustwave does this for a number of banks where you can upload various security documents attesting to your PCI Compliance).


Let’s look at this dance from multiple angles based on your potential partners.

Best Practice – Each PCI Compliance dance partner fits the PCI Compliance theme and individually a strong entity

You are still you, the merchant. In your office or home office set up, you are using best practices for security for your network / wireless network along with best practices for how you maintain customer information including any credit card information. This includes, but is not limited to having a firewall, anti-virus which is kept up to date, anti-malware which is kept up to date, a shredder, and pc’s with strong passwords with zero paper trail as to passwords.

Your site is being hosted with a managed hosting provider like Dynamic Net, Inc. who is also PCI Compliant; and understands the ins and outs of PCI Compliance.

You are using a PCI compliant, PCI-DSS certified shopping cart like ShopSite or Prestashop.

You are using a PCI compliant payment processor like authorize.net

Your web site applications such as WordPress, Drupal, and Joomla are up to date including any themes and plugins.

You are using SSL with a secure certificate (digital ID); and any form the public can interact with is forced to use SSL (https).

You are using an authorized scanning vendor such as SecurityMetrics.com or Trustwave.

In the above dance, the very first PCI Compliance scan from your authorized scanning vendor (ASV) should be clean — you are on your way to PCI Compliance; just file the online forms as provided by the ASV with your financial institution or PCI Compliance holding company partner. In the worse case, you may need a second scan due to the ASV IP addresses needing to be white listed or a configuration change on the ASV end.

The key for becoming PCI compliant quickly involves making sure each partner in the PCI Compliance dance fits. Weak dance partners typically mean the PCI Compliance dance (process) takes longer, and in some cases outright fails.

Contact us for more information.