geralt / Pixabay
You’ve just made the decision that you want to start an online business. You’re going to sell products on the internet which also means that you need to find the best payment methods, but you’re not sure what are the requirements for merchants.
Today we’ll answer one of the burning questions: Do I need to be PCI compliant?
In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.
One of the main problems with PCI DSS for merchants is that it’s an extremely technical subject, so they understand barely anything when they try to get more information about the requirements and security standards.
The good news? We’re here to help.
First: What is PCI compliance?
In short, PCI DSS is a set of regulations created by major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB. This scheme requires organizations to comply with 12 general data security requirements that every merchant needs to follow. There are also over 200 sub-requirements, but not all of them may be applicable to you. It depends on your business.
Here are the 12 main PCI DSS requirements that merchants must meet:
Goals PCI DSS Requirements
|Build and Maintain a Secure Network||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access Control Measures||
|Regularly Monitor and Test Networks||
|Maintain an Information Security Policy||
Note that general requirements apply to all merchants, regardless of their size or volume of transactions.
What’s more, there are four different levels of compliance and each one comes with the requirements for merchants. It all depends on the transaction volume they process annually. Generally speaking, merchants under level 4 process the smallest amount of transactions per year ($20,000) and those under level 1 — the highest (over 6 million in transactions annually).
Depending on how the merchant is going to process, store or transmit card data, they need to fill in multiple Self Assessment Questionnaires (SAQ). The main difference between the levels is that, for example, level 4 comes with a self-assessment only, while level 1 certification requires an audit processed by a Qualified Security Assessor (QSA).
Even though PCI DSS is not part of any law, this is an internationally-used set of regulations which comes with significant penalties and costs for organizations that don’t apply to Go to the full article.
Source:: Business 2 Community