Do I Need to Be PCI Compliant?

By Sandra Wrobel-Konior

geralt / Pixabay

You’ve just made the decision that you want to start an online business. You’re going to sell products on the internet which also means that you need to find the best payment methods, but you’re not sure what are the requirements for merchants.

Today we’ll answer one of the burning questions: Do I need to be PCI compliant?

In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.

One of the main problems with PCI DSS for merchants is that it’s an extremely technical subject, so they understand barely anything when they try to get more information about the requirements and security standards.

The good news? We’re here to help.

First: What is PCI compliance?

In short, PCI DSS is a set of regulations created by major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB. This scheme requires organizations to comply with 12 general data security requirements that every merchant needs to follow. There are also over 200 sub-requirements, but not all of them may be applicable to you. It depends on your business.

Here are the 12 main PCI DSS requirements that merchants must meet:

Goals PCI DSS Requirements

Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software or program
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need to know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security for all personnel


Note that general requirements apply to all merchants, regardless of their size or volume of transactions.

What’s more, there are four different levels of compliance and each one comes with the requirements for merchants. It all depends on the transaction volume they process annually. Generally speaking, merchants under level 4 process the smallest amount of transactions per year ($20,000) and those under level 1 — the highest (over 6 million in transactions annually).

Depending on how the merchant is going to process, store or transmit card data, they need to fill in multiple Self Assessment Questionnaires (SAQ). The main difference between the levels is that, for example, level 4 comes with a self-assessment only, while level 1 certification requires an audit processed by a Qualified Security Assessor (QSA).

Even though PCI DSS is not part of any law, this is an internationally-used set of regulations which comes with significant penalties and costs for organizations that don’t apply to Go to the full article.

Source:: Business 2 Community

Be Sociable, Share!