The Payment Card Industry Data Security Standard, known as PCI, is an industry set of requirements created by major credit card companies in order to protect cardholder data. Being PCI compliant is an essential for any merchant or payment service provider.
PCI compliance is highly complex and it’s different for various types of businesses. Learn the differences between PCI compliance for service providers and merchants and whether your business needs a Report on Compliance (ROC) or a Self-Assessment Questionnaire (SAQ).
Follow these steps to find out if your business needs to be PCI compliant and if you're taking the right precautions.
1. Determine if your business is a merchant or service provider
There are two types of PCI compliance: compliance for merchants and for service providers. A merchant is a business that accepts payments, like an e-commerce store. A PCI DSS service provider, on the other hand, is any other type of business that comes into contact with payment data at some point in the process.
Both service providers and merchants should be PCI compliant. Some requirements are different, though, primarily because of the differences in levels.
2. Determine your level
Within PCI DSS, both merchants and service providers are grouped into different levels. For merchants, there are levels one through four, primarily based on the number of transactions you process each year. For example, a merchant that processes six million or more payments each year is a level one merchant. Anything below is not a level one merchant.
For service providers
For service providers, there are only two levels. A PCI DSS level one service provider participates in more than 300,000 transactions per year. Any service provider that affects fewer than 300,000 transactions is a level two service provider.
3. Complete the requirements for your level
Now that you’ve determined your category (merchant or service provider) and your level within that category, you can learn requirements for your level. While the PCI standards are the same for everyone, the requirements for assessing your compliance are different.
For level one merchants and service providers (ROC and QSA)
For both merchants and service providers, level one businesses need to coordinate with a third-party assessor for an onsite PCI compliance audit. What is a PCI compliance audit, exactly? This process involves bringing in one of many trusted PCI compliance audit companies to investigate your security practices and determine if you’re adhering to the PCI DSS.
On top of this annual onsite audit, level one service providers and level one merchants need to get a scan of their system each year through an approved scanning vendor, or ASV. After all this is complete, you’ll submit your Attestation of Certification and Report on Compliance from the assessor along with your scan to receive your compliance certification. You need to complete this process each year to stay on the PCI compliance list of service providers or merchants.
For non-level one merchants and service providers (SAQ)
If you are a level two service provider or a level two through four merchant, the process is simpler. You need to receive a scan from an ASV each quarter and you need to complete a SAQ to verify that you are adhering to all 12 standards.
Most companies with less than six million annual transactions can use a SAQ to demonstrate compliance. There are eight SAQs to choose from and the scope varies greatly between them. A SAQ A is 16 pages long with 20 controls, while a SAQ D is 76 pages long with over 350 controls. A SAQ, like the name suggests, is self-assessment and does not require an assessor. This is generally considered an easier process than a ROC. However, for startups and small businesses that need a SAQ, the process still requires quite a bit of time and effort to prove compliance.
Learn more about PCI