The PCI Basics & Quick Guide
Date published:
Jan 1, 2022
.svg)
What Do Small Merchants Need to Do to Achieve PCI Compliance?.
The day has come. You have received notification from your acquirer that your organization is required to submit Payment Card Industry (PCI) compliance validation. You’ve also just been informed that there are penalties – most likely fees, but also possible termination of your card acceptance agreement, or other forms of repercussions associated with not providing this validation by a certain date to your acquirer.
A quick search of the web only comes up with confusing jargon, seemingly conflicting information and unclear guidance. What on earth do you do now? In this article, we will focus on the initial steps to take once you receive that notification in order to help simplify the process for you.
The first step is to determine your level as defined by credit card brand.
Why is it important to understand which level you fall under by credit card brand? Each credit card brand has their own umbrella compliance program which focuses on the number of transactions for their credit card alone. To make matters more confusing, credit card companies differ in their level definitions and compliance validation submission requirements.
For example, Level 4 merchants, according to Visa’s criteria, are those organizations which have up to 1 million Visa transactions annually. Mastercard categorizes organizations which have up to 1 million Mastercard transactions annually as Level 3 merchants, and American Express doesn’t even have a Level 4 category.
Each level brings its specific compliance validation requirements. While you may be a Level 4 merchant according to Visa’s classifications, you may be a Level 2 merchant according to American Express. The compliance validation requirement for a Level 3 American Express merchant is to provide quarterly scans. A Level 4 Visa merchant is only required to do so upon the discretion of their acquiring bank.
Visit the following pages to determine which level you are by credit card brand:
If in doubt, assemble the number of transactions separated by credit card brand, contact your acquirer bank and ask. Acquirer banks have the ultimate decision authority over their merchants’ levels, so you should verify your assumptions with your bank. Keep in mind that should your organization suffer a breach at any time, your level may also be elevated, so check with your acquirer bank in this situation, too.
The next step is to determine what you ultimately need to submit for compliance validation.
Once you know what level you are, you can now determine what you are responsible for providing to the acquirer bank in order to show compliance validation. If you meet the requirements of the card brands for Level 4, then the remaining steps to perform prior to beginning your compliance validation are to determine which SAQ is the appropriate one to submit for your organization, and – if you are required to submit quarterly external scans – to select an Approved Scanning Vendor (ASV).
This table reflects what your acquirer bank would be expecting you to submit in order to validate compliance; however keep in mind that the acquirer may change their requirements at any time, so it is worth it to verify expectations prior to beginning work.
There are five types of SAQs: A through D. Factors which affect which version you need to complete depend on whether you use your own systems to process payments, store cardholder data and accept credit cards in-person and/or electronically, among other things.
SAQ Validation Type Description # of Qs ASV Scan Required?
| SAQ |
Description |
PCI DSS Requirements |
ASV Scan Required? |
|
|---|---|---|---|---|
| % of D |
No. of Requests |
|||
| A |
All account data functions are outsourced to PCI DSS compliant third parties |
12% |
29 |
YES (for merchant web servers that host the page(s) that either 1) redirect customers to a TPSP/payment processor for payment processing or 2) include a TPSP’s/payment processor’s embedded payment page/form (e.g., inline frame or iFrame). |
| A-EP |
Partially outsource e-commerce payment channel to PCI DSS compliant third parties |
60% |
139 |
YES |
| B |
Imprint-only, or standalone, dial-out terminal |
12% |
27 |
NO |
| B-IP |
Standalone, PCI PTS approved point-of-interaction (POI) device connected via IP |
21% |
49 |
YES |
| C-VT |
Manual entry of account data from an isolated computing device into an Internet-based virtual payment terminal |
23% |
54 |
NO |
| C |
Point-of-sale (POS) system or other payment application systems connected to the Internet |
53% |
123 |
YES |
| P2PE |
Account data processed only via payment terminals from a validated PCI-listed Point to Point Encryption (P2PE) solution |
9% |
21 |
NO |
| SPoC |
Account data processed only using a commercial off the shelf (COTS) mobile device with a secure card reader-PIN (SCRP), as part of a validated PCI-listed SPoC Solution |
9% |
22 |
NO |
| D - Merchant |
All other SAQ-eligible merchants not meeting the criteria for any other SAQ type |
100% |
233 |
YES |
What is an Approved Scanning Vendor (ASV)?
ASVs are organizations which perform the quarterly external scans for merchants and have been qualified and pre-approved by the PCI Council. It is required that all companies submitting quarterly network scans use a company who has achieved ASV status.
Note that your organization will be required to submit “clean” scans, meaning there are no failing vulnerabilities found and the scans have been attested-to by both you and your ASV. Oftentimes, organizations choose to perform their first few scans a little earlier than when the quarter ends so that any failing vulnerabilities or issues found can be remediated and a rescan performed in time.
Contact the VikingCloud team to find out how we can help make sure your organization stays PCI compliant
.png)