What is PCI Compliance?

The payments industry is littered with acronyms.  Sometimes, I think people in the industry do it intentionally to make it more complicated than it already is – but I digress, let’s get to it and answer the question everyone is asking, “What is PCI Compliance?”

PCI stands for Payment Card Industry, and the PCI Data Security Standard (PCI DSS) is the standard that is referred to when people mention “PCI Compliance.”  It’s important to note, though, that there are other standards that exist, such as PCI P2PE, PA DSS, PA P2PE, and others.  For purposes of this post though, we will be discussing PCI DSS only and answer the question that so many merchants ask, “What is PCI Compliance?”

So, What is PCI Compliance?

Now that we know what PCI stands for, the next item is the DSS acronym – DSS stands for Data Security Standards.  When people refer to PCI Compliance, they are referring to PCI DSS.  PCI DSS is a set of controls and requirements designed by the PCI Security Standards Council (PCI SSC) to ensure that all companies who process, store, or transmit credit card data, regardless of size, industry or anything else, are implementing the proper protocols to secure payment card data.  The initial PCI DSS standard, Version 1, was released in 09/2006 and the current standard is Version 3.2, which was released in May 2016.  For the first time since the creation of PCI DSS, the “new” version did not contain sweeping changes, which is a testament to the maturity of the standard after a decade of change within the payments industry.

The PCI DSS standard is managed by the PCI Council, also known as the PCI Security Standards Council (PCI SSC).  So, when we ask “What is PCI Compliance,” what we are really asking is “What is the PCI DSS standard, created by the PCI SSC?”  The PCI DSS standard is significant, and contains upwards of 350 separate controls.  So, as you can imagine, there isn’t a simple answer to this overly-simplified question, as “PCI Compliance” refers to a complex standard, which can be found here: Documents.

Once again, PCI DSS applies to all organizations that process, store or transmit credit card data.  So, PCI DSS applies to both your local Mom-and-Pop coffee shop, as well as Starbucks.  Since Starbucks processes quite a bit more transactions than your local coffee shop, they will fall into a different Merchant Level and will be required to perform a more strenuous audit.  Regardless of merchant size, PCI Compliance is an annual standard, and all merchants and service providers (e.g. payment gateways) are required to complete their PCI Compliance Self-Assessment or, for Level 1 Merchants (explained below), their full Report on Compliance. (ROC)  The Merchant Level is determined based on a 12 month period of transaction processing, based on the volumes in the chart below.

Merchant Level Description
1 Merchants processing over 6M Visa transactions per year.
2 Merchants processing 1M to 6M Visa and/or MasterCard transactions per year.
3 Merchants processing 20,000 to 1M Visa and/or MasterCard e-commerce transactions per year.
4 Merchants processing less than 20,000 Visa and/or MasterCard e-commerce transactions per year.

OR

Merchants (all channels) processing up to 1M Visa transactions per year.

So based on the chart, Starbucks would be considered a Level 1 Merchant, where a local coffee shop would fall into the Level 4 category.

What PCI DSS SAQ Do I Qualify For?

First and foremost, Merchant Level 1 does not qualify for any SAQ.  Merchant’s who fall into the Level 1 umbrella must perform a full Report on Compliance (ROC) with an independent Quality Security Assessor (QSA).  Merchant Category 2 through 4 qualify for self assessing, and this is handled through a Self-Assessment Questionnaire (SAQ), specific to your merchant channel and how you’re processing credit card transactions.  With PCI DSS Version 3.0+, even more SAQs were created.  Thankfully, the PCI SSC was kind enough to provide the below SAQ breakdown.  Which SAQ do you qualify for?

PCI DSS 3.0 Table of Key Changes

SAQ Validation Type

Description

# of Questions v3.0

Change # from v2.1

ASV Scan Required v3.0

Penetration Test Required
V3.0

A

Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 14 +1 No No

A-EP

E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage 139 NEW Yes Yes

B

Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage 41 +12 No No

B-IP

Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage 83 NEW Yes No

C

Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage 139 +59 Yes Yes

C-VT

Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 +22 No No

D-MER

All other SAQ-eligible merchants 326 +38 Yes Yes

D-SP

SAQ-eligible service providers 347 NEW Yes Yes

P2PE

Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35 +17 No No

Source: https://www.pcicomplianceguide.org/new-more-a-first-look-at-the-pci-dss-3-0-saqs/

What is PCI Compliance, and How Do I Become PCI Compliant?

Now that you have a better idea of the PCI Council, PCI DSS compliance and the SAQ that you fall into, we hope you’re still not Googling “What is PCI Compliance?”  For next steps, we suggest contacting a Quality Security Assessor (QSA) to assist you with your SAQ and PCI Compliance in general.  The larger QSAs have interactive, online portals that will walk you through your SAQ and attestation, and even provide vulnerability scanning tools for the merchant levels who require it.  If you’re a smaller merchant, falling into the Level 3 or Level 4 categories, we suggest contacting your merchant services provider (Wells Fargo, BAMS, TSYS, Heartland, etc.) directly.  Normally, your merchant services provider, also known as your merchant acquirer, will provide a simple online portal for smaller merchants to complete their annual PCI Compliance self assessment questionnaire and attestation.

If you have any questions, please feel free to leave a question on our Q & A page and we will get back to you within the next few days!

About PCI Blog 598 Articles
PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.

4 Trackbacks / Pingbacks

  1. P2PE, EMV, Tokenization, Oh My! – PCI Blog
  2. what is pci compliance | pcidsscomplianceblog
  3. Part I: Understanding the SAQ P2PE for PCI SSC Validated P2PE Solutions – PCI Blog
  4. PCI DSS 3.2: New SAQ Changes (January 2017) – PCI Blog

Leave a Reply