What is PCI Compliance?

As the Payment Card Industry (PCI) rapidly expanded, the Payment Card Industry Security Standards Council (PCI SSC) developed a set of requirements called the Payment Card Industry Data Security Standard (PCI DSS). These specifications ensure all companies that process, store or transmit credit card information maintain a secure environment. PCI applies to all organizations or merchants that accept, transmit or store cardholder data, regardless of size or number of transactions.


Why Compliance Is Important

Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information:
  • Trust means your customers have confidence in doing business with you
  • Confident customers are more likely to be repeat customers, and to recommend you to others

Compliance improves your reputation with acquirers and payment brands -- the partners you need in order to do business

Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future:
  • As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats
  • The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals
  • When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise

Why It Should Interest You

Compliance has indirect benefits as well:
  • Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.
  • You’ll have a basis for a corporate security strategy
  • You will likely identify ways to improve the efficiency of your IT infrastructure
But if you are not compliant, it could be disastrous:
  • Compromised data negatively affects consumers, merchants, and financial institutions
  • Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future
  • Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company
  • Possible negative consequences also include:
    • Lawsuits
    • Insurance claims
    • Cancelled accounts
    • Payment card issuer fines
    • Government fines

Are You Compliant?

This list is by no means complete, but we can guarantee that if you answer “no” to even one of the following questions, then you are not PCI compliant:
  1. Have you installed and maintained a firewall configuration to protect cardholder data?
  2. Do you frequently use and update anti-virus software?
  3. Have you assigned a unique ID to each person with computer access?
  4. Do you restrict physical access to cardholder data?
  5. Do you track and monitor all access to network resources and cardholder data and regularly test security systems and processes?

Different Merchant Levels

Different expectations apply to merchants. Visa, Inc. ranks merchants according to the following system, applying general PCI Compliance guidelines.

Level Merchant Selection Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
    • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank

Validation Levels

A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
B Merchants using only:
  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.
Live support
We are sorry, but support is not available at the moment.