PCI compliance, also known as the Payment Card Industry Data Security Standard, or PCI-DSS, is an important standard that major credit card companies like Visa and Mastercard have adopted to protect themselves and their merchants from the risks associated with exposed cardholder data. PCI-DSS is not the law; it’s a suggestion by the major card brands. However, much like the law, you’re subject to penalties in the form of non-compliance fees if you fail to become compliant.
PCI compliance isn’t just another way for credit card companies to squeeze money from you. There are real benefits to becoming compliant apart from saving yourself from non-compliance fees. By completing the process and becoming compliant, you’ll:
Think of PCI compliance like an insurance policy. A compliant business will have an advantage because it took the necessary steps required to protect its customers’ data, and will reduce liability in case something goes wrong. An important note: although becoming PCI compliant will do wonders for the security of your processing, it isn’t a catch-all solution. It won’t ensure your data won’t be stolen, but it will greatly reduce the odds while also giving your business a defense in case a breach does occur. PCI compliance should be paired with other fraud-prevention initiatives to create a holistic protection plan for your business.
Ultimately, there are none. Becoming PCI compliant can be time-consuming without help, but you can alleviate this by having an industry expert like Evolve Payment walk you through the process. Monthly PCI compliance scans may reveal vulnerabilities in your firewall or other system and you’re liable to fix them, but these vulnerabilities existed before the scan, so it shouldn’t be considered a drawback. At the end of the day, every merchant should become PCI compliant, and it’s not as hard as it sounds.
The first step to understanding what standards your company needs to follow is to determine which PCI compliance level it falls under. There are four PCI compliance levels based on your company’s transaction volume over 12 months.
The self-assessment questionnaire (SAQ) is a form the merchant completes that qualifies them for PCI compliance. Determining which form to complete is the hardest part in this process, as there are numerous options based on how you accept cards.
Depending on if you use box terminals, a fully-integrated POS, an ERP system, or a virtual terminal, a different SAQ is required. The Evolve Payment team can help you determine which form is best for you. Otherwise, the PCI-DSS website has brief descriptions for each form, explaining applicability.
Completing the SAQ can also be difficult without guidance and is often a discouraging step for merchants. Some SAQ questions can be misleading and hard to understand, and some questions may lead you to a different SAQ. Thankfully, there are a multitude of third-party companies that can walk you through the security process and act as a resource (Trustwave, Sysnet, and SecurityMetrics, to name a few).
At Evolve Payment, we are well-versed in the PCI compliance process, and offers a more boutique approach to the big cybersecurity companies. Another option is for your processor to offer guidance, as most of them have a PCI compliance department.
After completing the SAQ, your processor will submit it for approval. This is a hands-off process with a quick turnaround. Once approved, your processor will send you a certificate and send your registration data to a PCI office. Once you’ve been registered, you’re officially compliant!
Merchants that are PCI compliant will receive automatic quarterly scans that look at vulnerabilities in your system. Most processing setups will require scans, with one of the only exceptions being if you’re using a standalone terminal with a dial-up connection. If you’re retail and using an ethernet connection for your terminal, for example, you’ll need a scan. Make sure to look for quarterly scan reports in your email inbox and implement any recommendations it may have.
Released in 2022, PCI DSS v4, also known as PCI 4.0, is the fourth major iteration of the Payment Card Industry Data Security Standard.
PCI compliance is an important insurance policy that will keep your business and your customers safe. The costs associated with card-not-present fraud topped $6 billion in 2020, and this number is on an upward trend. Because of this, PCI compliance isn’t going anywhere anytime soon, and it’s arguably more important now than ever, especially with the rise in ecommerce as a result of the pandemic. Ecommerce transactions don’t have EMV (an acronym for Europay, Mastercard, and Visa, but really just means the chip on your credit card) capabilities, so they are especially vulnerable.
Becoming PCI compliant may seem like a headache, but it doesn’t have to be. There are many resources and experts who are ready to walk you through the process and protect your business. If you’re interested in becoming compliant and want an advisor to help you, Evolve Payment will examine your business needs and processing to determine the most accessible path toward compliance.
You can find a list of all PCI SAQs below. This list was pulled directly from the SAQ Instructions and Guidelines document October 2024 edition. For more details on which form to use and how to fill it out, you can visit the PCI Security Standards official website to read the fine print. Or, you can reach out to the Evolve Payment team and we will point you in the right direction.
A
Card-not-present merchants (e-commerce or mail/telephone-order) that completely outsource all account data functions to PCI DSS validated and compliant third parties. No electronic storage, processing, or transmission of account data on their systems or premises.
Not applicable to face-to-face channels. Not applicable to service providers.
A-EP
E-commerce merchants that partially outsource payment processing to PCI DSS validated and compliant third parties, and with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. No electronic storage, processing, or transmission of account data on the merchant’s systems or premises.
Applicable only to e-commerce channels. Not applicable to service providers.
B
Merchants using only:
B-IP
Merchants using only standalone, PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. No electronic account data storage.
Not applicable to e-commerce channels. Not applicable to service providers.
C-VT
Merchants that manually enter payment account data a single transaction at a time via a keyboard into a PCI DSS validated and compliant third-party virtual payment terminal solution, with an isolated computing device and a securely connected web browser. No electronic account data storage.
Not applicable to e-commerce channels. Not applicable to service providers.
C
Merchants with payment application systems connected to the Internet, no electronic account data storage.
Not applicable to e-commerce channels. Not applicable to service providers.
P2PE
Merchants using only a validated, PCI-listed Point-to-Point Encryption (P2PE) solution. No access to clear-text account data and no electronic account data storage.
Not applicable to e-commerce channels. Not applicable to service providers.
SPoC
Merchants using a commercial off-the-shelf mobile device (for example, a phone or tablet) with a secure card reader included on PCI SSC’s list of validated SPoC Solutions. No access to clear-text account data and no electronic account data storage.
Not applicable to unattended card-present, mail-order/telephone order (MOTO), or e-commerce channels. Not applicable to service providers.
New SAQ for PCI DSS v4.
D
SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
Not applicable to service providers.
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ.