PCI Compliance

What is PCI Compliance?

If you are a merchant who accepts credit and debit card payments you are responsible for securely storing, processing, and transmitting cardholder data. The PCI Data Security Standard (PCI DSS) is developed and maintained by the PCI Security Standards Council to provide a set of requirements for the prevention, detection and reaction to cardholder data security breaches that could affect your business.

PCI Compliance Levels

To become PCI compliant, your business needs to implement and maintain a series of requirements that create a secure payments environment, protecting your customers and maintaining privacy for their payment card data. To certify compliance, most merchants (except extremely large ones) must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC) annually.

The size of your business and the number and type of transactions you complete each year determines the level of compliance you must maintain and the complexity of the SAQ you must complete. Overall, there are four levels of PCI compliance.

Small businesses processing fewer than 1 million transactions per year are considered Level 4 merchants, as long as fewer than 20,000 of those transactions are classified as e-commerce (your customers enter transactions themselves on a website). If your credit card processing exceeds those levels, your business falls into a higher compliance level.

How you process your transactions is also important. There are different types of SAQ for merchants that process exclusively card-not-present MOTO (mail order/telephone order) transactions, e-commerce (web) transactions, card-present POS (Point of Sale, this includes using a swipe device on a mobile phone or tablet) transactions, or a combination of the three.

PCI Compliance Basics

The PCI DSS is comprised of 12 core requirements designed to protect cardholder data wherever it is transmitted or stored. The details are highly complex, but luckily as a PaySimple merchant you don’t need to concern yourself with most of them. PaySimple is a Level 1 PCI DSS certified Service Provider, and as such simply using the PaySimple system for all your credit card processing takes care of most of the PCI Requirements.

However, PaySimple can’t certify PCI Compliance for you. And, there are things you as a merchant are required to do in order to ensure that your business remains PCI Compliant. These include:

  • Only process credit cards using a PCI Compliant Service Provider or PCI Approved Software.
  • Never store the CID/CVV2 card security code in any format, in any way, ever.
  • Never store the magnetic track data from any card, in any format, in any way, ever.
  • Always protect cardholder data. This means:
    • Encrypting ANY electronic storage of full credit and debit card numbers.
    • Any paper document containing a full credit card number must be kept in a secure location (locked file drawer/safe) when not in use.
    • Only employees with a business need should have access to credit card numbers.
    • Prohibit sharing of User Ids and Passwords and use of Group User accounts.
    • Require strong passwords (7+ alpha-numeric characters) for all system access.
    • Immediately disable access for all terminated employees.
  • Secure and regularly examine all POS swipe devices for signs of tampering.
  • Secure all your business computers by installing and activating personal firewalls and anti-virus/anti-malware software and disabling all generic or default User accounts and passwords.
  • Create a security policy for your business that addresses all aspects of the PCI DSS. (See a sample for PaySimple merchants here.)

To complete PCI compliance for your business, or if you are unsure of the level of compliance you need, go through our PCI Compliance Checklist and answer the questions to the best of your knowledge.

PCI Compliance FAQs

For additional information about PCI compliance and why you need to become compliant, read our PCI Compliance FAQs.

PCI Compliance NPC

PaySimple has a special arrangement with NPC that enables us to offer most Level 4 MOTO merchants a greatly simplified PCI Compliance program. To complete your PCI compliance certification as a NPC credit card processor customer, follow these guidelines to complete your annual PCI certification.

PCI Compliance NAB

To complete your PCI compliance certification as a NAB credit card processor customer, use the steps outlined to complete your annual PCI certification.

Subscribe to the PaySimple blog for small business insights delivered straight to your inbox.

Copyright © PaySimple 2005-2017. All rights reserved. PaySimple is a registered ISO of Fifth Third Bank, Cincinnati, OH and is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA.