facebook linkedin twitter

Computerware Blog

The Basics of PCI Compliance


Businesses today should be accepting card-based payments, regardless of their size. In addition to the convenience it offers to customers, it’s the most secure means you have of being paid. To protect consumers and their personal and financial information, many card providers have adopted a unified regulation that applies to businesses that accept these payments. Let’s review this regulation and how it impacts the average small-to-medium-sized business.

Understanding PCI

Established in 2006, the Payment Card Index Digital Security Standard (or PCI DSS) was sponsored by the members of the PCI Security Standards Council. This council was founded to help the credit card industry self-regulate and manage the standards for consumer privacy that businesses would be beholden to. You certainly have at least one of the council’s members in your wallet right now: Visa, Mastercard, American Express, and Discover.

The standards that this council established apply to any and all businesses that accept payment cards from their customers. If you process or store payment information or process digital payments, PCI compliance is mandatory.

To remain compliant, any business that accepts payment cards needs to: 

  1. Change passwords from system default
  2. Install sufficient network security tools (antivirus, firewalls, etc.) that will work to protect card data
  3. Encrypt transmission of card data across public networks
  4. Restrict the transmission of card and cardholder data to a “need to know” basis
  5. Assign user ID to all users with server or database access
  6. Make efforts to protect physical and digital access to card and cardholder data
  7. Monitor and maintain system security
  8. Test system security regularly
  9. Create written policies and procedures that address the importance of securing cardholder data
  10. Train staff on best practices of accepting payment cards

Any business, all businesses, each and every business of any kind that takes credit card payments needs to get these ten things done. Many businesses already accomplish these things as part of their typical routine… if you aren’t one of them, and accept card-based payments, your non-compliance could get you in serious trouble.

PCI and the Size of Your Business

The above checklist were the things that all businesses are responsible for, across the board. Based on what “level” of business you operate (according to the PCI Security Standards Council) there are other needs you must address. As the council defines them, there are four different levels you may fall into:

  • Merchant Level #1 - A business that processes over six million payment card transactions per year.
  • Merchant Level #2 - A business that processes between one million-to-six million payment card transactions per year.
  • Merchant Level #3 - A business that processes between 20,000-to-one million e-commerce payment card transactions per year.
  • Merchant Level #4 - A business that processes less than 20,000 e-commerce payment transactions, and fewer than one million overall payment card transactions per year.

As a level one breach will almost certainly have an impact to a larger number of consumers, the focus of the PCI regulatory body tends to be on these larger organizations. The means just aren’t there for every business to be checked constantly. However, that doesn’t mean that small businesses aren’t also facing severe risks. Here are some of the other requirements that businesses must fulfill, based on their Merchant Level:

Merchant Level #1

Considering the scale of these businesses and the reach that they have to consumers both online and in-store, these merchants have much greater responsibility. PCI compliance for Merchant Level 1 requires that merchants:

  • Complete a yearly Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
  • Undergo a quarterly network scan by an Approved Security Vendor (ASV)
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #2

Standards relax as the number of transactions decreases, so Merchant Level 2 dictates that these merchants:

  • Perform a yearly Self-Assessment Questionnaire (SAQ)
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #3

This is where most medium-sized businesses would classify, and also requires that merchants:

  • Perform a SAQ
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #4

This level applies to the vast majority of small businesses. Like the prior two merchant levels, this level requires that all merchants:

  • Perform a SAQ
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council record

Noncompliant businesses can be reviewed, and are generally fined, watched more closely in the future, or even prohibited from accepting payment cards at all. Obviously, this isn’t something you want to happen to your business.

To find out more about PCI DSS standards and what you can do to ensure your compliance, give the IT professionals at Computerware a call at (703) 821-8200 today.

How Automation Will Play into the Post-COVID-19 Wo...
Tip of the Week: Using Google Drive’s Workspaces t...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Friday, July 10, 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://www.cwit.com/

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Tip of the Week Technology Best Practices Business Computing Privacy Internet Cloud Software Hackers Data Business Management Hardware Microsoft Workplace Tips Network Security Backup Hosted Solutions Managed Service Provider Productivity Business Productivity Email Malware IT Services Saving Money Efficiency Google Computer Small Business User Tips Innovation Collaboration VoIP IT Support Smartphones Quick Tips IT Support Data Backup communications Network Mobile Devices Business Continuity Microsoft Office Gadgets Data Recovery Social Media Disaster Recovery Cybersecurity Android Upgrade Communication Mobile Office Server Smartphone Phishing Virtualization Mobile Device Management Miscellaneous Vendor Management Holiday Ransomware Outsourced IT Tech Term Operating System Passwords Apps Managed IT Services Windows Windows 10 Users Internet of Things Unified Threat Management Facebook Mobile Device Remote Monitoring BDR Automation Analytics Data Management Managed IT services BYOD Remote Computing Apple Mobile Computing WiFi Windows 10 The Internet of Things History Training Marketing Artificial Intelligence Cloud Computing Firewall Browser Save Money Help Desk Business Technology Spam Encryption App Alert Big data Bandwidth Office 365 Health IT Consultant Two-factor Authentication Office Information Technology Printer Windows 7 Bring Your Own Device Antivirus Managed IT Budget Hard Drives Gmail Government Content Filtering Cybercrime Going Green Access Control Maintenance Cost Management Tech Support Virus Wireless Technology Healthcare Hiring/Firing Search Saving Time Managed Service Computers VPN Lithium-ion Battery Outlook Recovery Best Practice Windows 8 Employer-Employee Relationship Retail Information Hacking It Management Data Security Money Blockchain Document Management Data Loss Phone System Customer Service iPhone Project Management Travel Networking Remote Work Education IBM Update Computing Humor Augmented Reality PowerPoint Save Time Hacker Downtime Law Enforcement Patch Management Voice over Internet Protocol Administration Solid State Drive Compliance Data storage Flexibility Computer Repair Running Cable Proactive IT Applications Current Events Avoiding Downtime Data Breach Wireless File Sharing Hard Drive Conferencing Twitter Legal Intranet Storage Website Vendor Mobility Regulations Covid-19 Risk Management Customer Relationship Management Password SaaS Value End of Support Private Cloud Business Intelligence Hosted Solution Digital Payment Wi-Fi Vulnerabilities Robot Router Securty Telephony Machine Learning Comparison Tablet Telephone Systems Company Culture Scam User Virtual Desktop Black Market Social Networking Social Cryptocurrency Laptop DDoS Business Growth Digital Google Maps Websites Cooperation Excel Fax Server Monitoring Social Engineering Software as a Service Word Paperless Office Sports Cortana Management Disaster Meetings Net Neutrality Telephone Bitcoin Professional Services Gaming Console Download Chrome Data Protection Processors Webcam IT service Integration Text Messaging Smart Devices USB Microchip Taxes Computer Accessories Downloads Distributed Denial of Service Presentation Managed Services Provider Bluetooth Trending Public Cloud Licensing Redundancy Mouse Specifications Safety Distribution How To Inbound Marketing Statistics Evernote Documents Managed Services Memory Identity Theft User Error Programming Employee/Employer Relationship Google Docs Co-managed IT Network Congestion Virtual Assistant Teamwork Heating/Cooling Experience Managed IT Service Entertainment Cost Pain Points Cleaning Monitors Virtual Reality Start Menu Tech Terms Office Tips Politics Processor Automobile Lifestyle Streaming Media Emails Mobile Technology Chromebook YouTube eWaste Unified Communications Settings Computing Infrastructure Hack Uninterrupted Power Supply How To Vulnerability Solutions Multi-factor Authentication Cabling Microserver IT Wireless Headphones Entrepreneur eCommerce Web Server Device Management Remote Workers Migration Electricity Connected Devices Printing Data Analysis Troubleshooting Employees Workers Business Managemenet Equifax Fleet Tracking GDPR Environment Managing Risk Harddrive Permissions Language Administrator Content Management Virtual Private Network Network Management HIPAA SQL Server Debate Books cache MSP Television Tech Electronic Payment Hypervisor Get More Done Development Competition GPS Supercomputer FinTech Device security External Harddrive switches Writing Worker Turn Key Nanotechnology Social Network Holidays Music Printer Server online Currency Data Storage Desktop WannaCry Finance Fileless Malware Business Owner Hybrid Cloud Reading Samsung Startup Time Management Asset Tracking Freedom of Information Modem Strategy Trojan Procurement Business Cards Corporate Profile Service Level Agreement Proxy Server Azure IP Address Upgrades Assessment Username SharePoint Term Human Resources Thin CLient LiFi G Suite Video Conferencing Unified Threat Management Backup and Disaster Recovery Electronic Medical Records Transportation Application 3D Ebay Employer Employee Relationship Organize LinkedIn Smart Phones Communitications Screen Reader Customer Resource management Tip of the week Recording Optimization Hacks Physical Security PCI DSS Gamification Google Calendar Directions Display Relocation Tablets Skype Smart Tech Touchscreen News SSID Work/Life Balance Banking Botnet Archive Supply Chain Management Piracy VoIP Upload Dark Web Free Resource Deep Learning HTML Consultation Processing Leadership Visible Light Communication Sync Internet Service Provider Fiber-Optic Database Knowledge Health IT Digital Signature Adminstration Pirating Information IT consulting Point of Contact IT Assessment Telephone System Logistics Virtual Machines Notifications CCTV Webinar Regulations Compliance Mobile Security Technology Tips Wasting Time Reliable Computing Multi-Factor Security Fake News Cyber security Business Metrics Computer Malfunction Remote Working Software License Trends Audit Bookmark Devices Data Warehousing Google Play PDF Telephone Service Advertising Flash In Internet of Things Fraud Tactics Employer/Employee Relationships CIO Managing Costs Windows XP Electronic Health Records Analytic Emergency Hard Drive Disposal Best Available Microsoft 365 Keyboard Staffing Google Wallet Recycling Financial Data UTM Access Content Displays Scalability Memes Product Reviews Legislation Error Microsoft Excel Medical IT Trend Micro Upselling Society Motion Sickness IT Plan Enterprise Resource Planning Computer Care Browsers Domains Accountants Google Drive A.I. Windows Server 2008 Security Cameras Threats Best Practives Managing IT Services Read email scam Addiction User Tip Proactive Maintenance Public Speaking Video Surveillance Micrsooft Messenger Tracking Navigation Virtual Machine Saving ZTime Surveillance Shortcut Drones Rental Service Telework Spyware Mobile Payment Printers CrashOverride 3D Printing Managing Stress Capital Personal Information Regulation Productuvuty Financial