PCI DSS compliance refers to the minimum set of security standards all merchants must meet in order to allow their customers to make credit card purchases.
This article serves as an introductory guide to those standards, with an emphasis on the merchant's responsibilities.
The Payment Card Industry Data Security Standards (PCI DSS) are a minimum set of requirements created by the PCI Security Standards Council. The purpose is to protect credit card data handled by merchants and service providers. The full specifications of PCI DSS are available at the PCI Standards Security Council website.
The PCI Council is responsible for the classification of merchants as well as validation of merchant compliance. It was founded by the five major card brands: VISA, MasterCard, American Express, Discover, and JCB.
As a merchant, you are responsible for the security of cardholder data and must be careful not to store certain types of data on your systems or the systems of your third-party service providers. You are also responsible for any damages or liability occurring as a result of a data security breach or other non-compliance with the PCI Data Security Standard.
This is not intended to be an all-inclusive guide to obtaining PCI compliance. PCI DSS is a complicated and potentially confusing minimum standard that nonetheless must be understood and followed to achieve proper data security. The purpose of this guide is to provide an outline of the steps you must take to become a PCI-compliant merchant.
Nexcess is a PCI-compliant hosting provider. This means we have taken steps necessary to meet the security standards for its infrastructure as outlined in PCI DSS. This does not mean simply by hosting with Nexcess, your store will instantly become PCI-compliant. Many items of PCI DSS compliance fall directly onto you and they must be followed to ensure full compliance of your store. If you are accepting payments via credit cards, PCI compliance is not optional. It is mandatory.
In terms of shared PCI DSS responsibility, certain parts of the requirements fall under scope of us as the hosting provider, some parts fall under you as the merchant, and some parts apply to both. A hosting provider's compliance reports will outline exactly the hosting provider's and merchant's responsibilities regarding PCI DSS. A PCI DSS guide for merchants is available at the PCI Security Standards website.
Remember, compliance is not a one-time requirement. Being compliant reflects an ongoing commitment to performing periodic tasks at the correct intervals based on both the DSS and your merchant classification level. Compliance and security must constantly be monitored and, when necessary, enhanced in your operational policies and procedures.
A basic outline of the steps required to become PCI-compliant is listed as follows:
As an online merchant, you will fall into one of four merchant levels determined by your acquirer. Your classification level primarily depends on the amount of credit card transactions you process annually, among other criteria. Your merchant level will determine the steps you will take to begin the process of PCI compliance.
Each credit card company has its own criteria for classifying merchant levels; VISA and MasterCard are two of the most common and are listed below:
Level |
Criteria |
1 |
Any merchant,regardless of acceptance channel that meets one of the following conditions:
|
2 |
Any merchant that processes 1 million to 6 million Visa or MasterCard transactions per year, regardless of acceptance channel |
3 |
Any merchant that processes 20,000 to 1 million Visa or MasterCard e-commerce transactions per year |
4 |
Any merchant that processes fewer than 20,000 Visa or MasterCard transactions online or processes fewer than 1 million Visa or MasterCard transactions across all payment types |
Once you have made the necessary changes, PCI DSS requires you to perform a self-assessment to validate those changes. Most merchants will need an annual self-assessment, which consists of the Self-Assessment Questionnaire (SAQ), the Attestation of Compliance (AOC), and an independent vendor performing a quarterly network scan on your store.
Most third-party vendors will bundle these items into a package, providing you the questionnaire along with the necessary network scans. If you are classified as a level 1 merchant, additional steps are required, including an on-site assessment.
The following table outlines the necessary validation actions for each merchant level:
Merchant Level |
Validation Actions |
Validated By |
1 |
Annual on-site PCI Data Security Assessment by a Qualified Data Security Company Quarterly Network Scan Attestation of Compliance (AOC) |
Qualified-Independent- Approved-Scanning-Vendor (ASV) Qualified-Security-Assessor (QSA) |
2 |
Annual PCI Self-Assessment Questionnaire (SAQ) Quarterly Network Scan Attestation of Compliance (AOC) |
Qualified-Independent Approved-Scanning-Vendor(ASV) Merchant's Acquirer |
3 |
Annual PCI Self-Assessment Questionnaire (SAQ) Quarterly Network Scan Attestation of Compliance (AOC) |
Qualified-Independent Approved-Scanning-Vendor(ASV) Merchant's Acquirer |
4 |
Annual PCI Self-Assessment Questionnaire (SAQ) Quarterly Network Scan Attestation of Compliance (AOC) |
Qualified-Independent Approved-Scanning-Vendor(ASV)
|
Simply answering “Yes” to every question in the SAQ does not make you PCI-compliant. You must back those questions up with actual controls, procedures, and policies detailing your efforts to meet those requirements. The SAQ is a checklist outlining the requirements set by the PCI council.
After finishing the SAQ, you must then complete the Attestation of Compliance (AOC) The AOC is a self-certification asserting you are both eligible to perform and have actually performed a PCI DSS self-assessment.
There are twelve requirements falling into six categories, here is a basic summary of those categories:
These are only basic requirements. The actual requirement categories are divided into several hundred specific requirements that must be met by all parties who have access to your store.
As a hosting provider, we have taken the necessary steps to make its infrastructure PCI-compliant.
Specifically, the policies and procedures include:
As a merchant, you are responsible for certain other aspects of PCI DSS. Your hosting provider's compliance information will contain specifics, but you are typically responsible for:
The actual PCI DSS are considerably more detailed and thorough than the above list. It is therefore imperative that you read, understand, and comply with all PCI DSS, including all measures of proper validation.
Yes. Any merchants or service providers who store, process, or transmit cardholder data must comply with the PCI DSS. The requirements apply to anyone who accepts credit cards as a payment method.
Storing cardholder data is possible under PCI DSS, provided you meet numerous additional requirements. These include, but are not limited to, using Payment Application Data Security Standard (PA-DSS)-compliant applications and only storing specific portions of the stripe data. Usually, your best option is to not store cardholder data unless absolutely necessary.
If you are hosted by Nexcess, submit the report to our Support Team, who will analyze and correct any reported issues. Once the issues are corrected, rerun the scan.
The PCI Standards Security Council website has a detailed breakdown of the requirements. For specific questions, you can seek assistance from a third party, who will provide you with a questionnaire. Your hosting provider can also answer your questions related to overlapping responsibility.
Yes. Credit card associations such as Visa and MasterCard may levy fines resulting from cardholder data breaches. Their application and amount will vary according to the size of the breach and other criteria.
You must act immediately and accurately. Refer to the Visa website for the proper procedure.
For 24-hour assistance any day of the year, contact our support team by email or through your Client Portal.
Our award-winning customer care team is here for you.
Contact Support
