The National Retail Federation just released the result of a survey of PCI Level 4 merchants. The survey seemed to have some flaws in that we couldn’t tell where in the broad Level 4 bracket the respondents were, but one thing is clear. While 70% of the merchants know about PCI, the percentage of those understanding it is a lot smaller. That isn’t surprising. Unfortunately, if they don’t understand it, they probably aren’t compliant either.
PCI compliance is a bit confusing but taking it step by step can make it a lot easier. The first step is to determine if you must be compliant. The answer is always yes.
All merchants are required to comply with the Payment Card Industry Data Security Standard. Merchants that store, process or transmit account data may also be required to validate compliance with their acquirer. For a merchant to be considered compliant, any Service Providers that store, process or transmit account data on behalf of the merchant must also be compliant.
There are three key phrases there. All merchants are required to comply. There is nothing separating on-line and brick and mortar stores. Further, if you store, process or transmit card data, you may have to validate your compliance. My guess is that if you’re a merchant, you accept cards so you probably have to validate your compliance with your acquirer. Lastly, the most important thing to understand is that all your service providers must also be compliant. That means your processor, your gateway and your shopping cart.
You need to determine which level of requirements that you fall under. That one is easy. You can ask your processor or better yet, check with the card brands. MasterCard has their PCI Levels defined here and Visa has them here. The good news is that they’re essentially the same. Either of these links will tell you which of the four levels you fall under and what you need to do.
Now that you know that you must comply with PCI DSS standards, It’s up to you to get there. At the very least, you’ll need to complete the Self Assessment Questionnaire (SAQ.) There are several versions of the SAQ but you can find everything you need to know by reading the SAQ Overview
If you need to have the quarterly scans done, they aren’t very expensive. Merchant911 recommends these folks, or you can find one at the Security Standards Council website.
There is no ROI on PCI compliance until your hacked. But then again, there is no ROI on car insurance until you crash. You shouldn’t be without either of them.
