PCI Compliance Guide - Internet 101

The Internet can be a great source of revenue for small business.  However, it can also be a great source of frustration for those that may not know the rules of business on the World Wide Web.

One such issue is PCI Compliance.
"The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment."   - PCI Guide
Ultimately the PCI guidelines are to protect the consumer and businesses.  Credit card data that is easily hacked into is a huge security issue for consumers.  And, businesses that knowingly store this data in an unsecured location are helping these hackers do what they do.

Do I need to be aware of the PCI Guidelines?   

If you transmit, accept or store credit card information, then the PCI Compliance guidelines apply to you; regardless of the size of your business or organization.  These transactions can occur via the web or over the phone.  

My website has an SSL, so I must be covered.

An SSL Certificate is a secure webpage that credit card transactions occur on.  Though, an SSL certificate will not secure the server on which credit card data may be stored; thus they are vulnerable on the server.  An SSL Certificate is not enough to secure all credit card data, but it is an important component in secure credit card transactions.

Tip:  How do I know if a webpage is secure?  The URL should begin with "https://" 

I use a third-party to process transactions, so they'll take care of this.

Not necessarily.  It is important that your third-party vendor is PCI Compliant, however some of the transaction data may still be saved on your servers.  Using a third-party may cut down your risk, but it's best to be sure your customers' data is safe.

Okay, where do I begin?

The first piece of information to gather is this:  How many VISA card transactions has your business or organization processed in the last 12-months?  
Level 1 - 6 million or more VISA transactions per year.
Level 2 - 1 million - 6 million VISA transactions per year.
Level 3 - 20,000 - 1 million VISA transactions per year.
Level 4 - Fewer than 20,000 VISA transactions per year.
Most small-to-medium sized businesses fall in Level 4.
Assuming you're a Level 4 business, these are the following steps you need to take to ensure PCI Compliance:

  1. Find which Validation Type your business falls under.  

  2. Take the Self-Assessment Questionnaire (SAQ) --the instructions will assist you as to which questionnaires to fulfill.

  3. If you store cardholder info or if your processing systems are connected to the Internet, you'll need to complete and gather evidence of passing a vulnerability scan.  Scans must be conducted by a PCI SSC Approved Scanning Vendor.   

  4. Complete the appropriate Attestation of Compliance

  5. Submit the SAQ (Self Assessment Questionnaire), data of passing scan (if applicable), and the Attestation of Compliance (found in document with SAQ), along with any other requested documentation, to you acquirer.

Where can I find the standards online?

If you need a hand tackling PCI Compliance for your business, we would be happy to help!  We've been down this road with many of our clients and can leverage that knowledge for you!  Simply contact us today!

Useful Links
PCI Compliance Guide
Official PCI Security Standards Council
PCI Compliance Checklist by the Better Business Bureau


This post is the part of a series of Internet 101 information topics. As always, when class is dismissed, you're welcome to contact us if you have any questions or would like any additional information. If you don't feel at the head of your class, don't worry, we took notes.