How to become PCI compliant in three steps
Be PCI compliant in three steps
The Payment Card Industry Data Security Standard (“PCI DSS”) is an industry-mandated set of requirements created by major credit card brands in order to protect customer cardholder data. Being PCI compliant is required for any entity that stores, processes, transmits, or impacts the security of cardholder data.
Becoming PCI compliant can be complex: there are different PCI compliance levels, reporting, and validation requirements for various types of PCI merchants and service providers (explained below) depending on how they interact with cardholder data and annual card transaction volumes. First of all, how do you know if you have to be PCI compliant?
Who has to be PCI compliant?
According to the PCI Compliance Security Standard Council, any organization that processes, stores, or transmits payment data like credit card information needs to be PCI compliant. This is done to protect consumers so their payment information isn’t trusted in an unsafe organization.
Is PCI compliance necessary?
The short answer is yes, if you fall within the categories that need to be PCI compliant, it is essential for your business. While PCI DSS isn’t a legal requirement, it is a requirement set by the major banks of the payment industry. If you aren’t PCI compliant, you may be charged thousands in recurring penalty fees.
While there is a cost to PCI compliance, it’s minimal compared to the potential cost of penalties, data breach lawsuits, and loss of business. If your company deals with cardholder data, refer to the following sections to learn more about what you need to do to determine your PCI compliance obligations and next steps.
1. PCI compliance starts with determining if your business is a merchant or service provider
Entities that deal with cardholder data fall into one of two categories: merchant or service provider. A merchant is a business that directly accepts customer payments for goods and services, like an eCommerce or brick and mortar retailer.
A service provider may not directly accept payments, but comes into contact with payment data (or could impact the security of another entity’s cardholder data or cardholder data environment). Payment data may include entities like:
- Hosting providers
- Managed security service providers
- Financial service companies
- Payment facilitators
Both service providers and merchants must be PCI compliant and formally validate their compliance status annually through a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Both the SAQ and ROC assessments require the entity to complete a compliant Attestation of Compliance (AOC).
The major difference between the SAQ and ROC is the level of validation and evidence required for PCI compliance. A SAQ is typically performed “in-house” by a qualified internal resource or team, while the ROC must be performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).
Which level of PCI compliance and validation an entity is required to meet is determined primarily by annual transaction volume. A bank or the card brand may require an entity to complete a higher level based on perceived risk, a previous breach, or other factors.
2. Determine your required level of PCI compliance
PCI compliance for merchants
Both merchants and service providers are grouped into different PCI compliance levels that dictate how they must validate compliance. For merchants, there are PCI compliance levels one through four, primarily based on the number of transactions processed each year.
A merchant that processes over six million transactions annually is classified as “Level 1” and must complete a Report on Compliance. Merchants below this transaction threshold are classified as Level 2-4 and typically qualify to complete a Self-Assessment Questionnaire.
PCI compliance for service providers
For service providers, there are only two levels of PCI compliance: a PCI DSS Level 1 service provider processes over 300,000 transactions per year and is required to complete a Report on Compliance. A service provider that impacts fewer than 300,000 transactions is a Level 2 service provider and typically qualifies to complete a Self-Assessment.
Many merchants and service providers that qualify for Self-Assessment (based on transaction volume) often choose to perform the higher level of validation through a ROC. There are multiple reasons why an entity may choose to pursue the more stringent validation process. Compliance via ROC is often used to meet internal security requirements, customer requests, or as a sales/marketing differentiator.
3. Complete the requirements for your level of PCI compliance
Once you determine if you fall into the merchant or service-provider categories, and your PCI compliance level within, you can determine your compliance obligations and controls.
For Level 1 merchants and service providers: ROC and QSA/ISA
For both merchants and service providers, Level 1 entities are required to validate through an external third-party assessor (A QSA) or Internal Security Assessor (ISA, which is essentially a QSA employed at your company).
The QSA/ISA will assist the entity in validating the scope of the cardholder environment, and assess the adequacy of relevant controls through a combination of:
- Documentation review
- Technical validation
- Observation of processes
At the end of the assessment, the QSA/ISA will complete the Report on PCI Compliance and formally document the results in the Attestation of Compliance.
PCI compliance for non-Level 1 merchants and service providers (SAQ)
If you are a Level 2 service provider or a Level 2-4 merchant, the process to be PCI compliant is a bit simpler. Entities that qualify can complete a Self-Assessment Questionnaire and Attestation of Compliance. This process can be done by any qualified resource in your company, though many entities still choose to retain the services of an outside consultant to help them assess their compliance status.
For the SAQs that require it, you need to receive a scan from an ASV each quarter and you need to complete a SAQ to verify that you are adhering to all 12 standards. Most companies with less then six million annual transactions can use a SAQ to demonstrate PCI compliance. There are eight SAQs to choose from, determined by how your company interacts with cardholder data (eCommerce only vs. in person, for example).
The PCI Security Standards Council (governing body responsible for maintaining various PCI programs) has released detailed guidance for determining your SAQ type. The last page of this document includes a useful flowchart to quickly help you determine your type.
PCI DSS compliance can be a confusing and daunting task at first glance. If you are a current Vanta customer, contact your Customer Success Manager or our team of PCI compliance experts to help guide you through the PCI process. Interested in pursuing PCI compliance with Vanta? Learn more here.
Learn more about PCI compliance
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC