There is a set of established rules to protect the customer’s card data when paying online. It is called the Payment Card Industry Data Security Standard (PCI DSS) and is governed by the Payment Card Industry Security Standards Council (PCI SSC).
According to the PCI DSS Quick Reference Guide, it consists of 6 objectives with 12 main requirements.
To comply with these rules, merchants must complete a self-assessment (specific to their transactional behavior) to understand where they are already adhering to PCI DSS and where there may be gaps.
Within the PCI DSS standards, there are 4 levels of PCI compliance. These levels are based on the annual number of transactions for any given merchant.
- PCI Compliance level 1: more than 6M of MasterCard or Visa transactions per year, OR, a merchant that has experienced an attack that has resulted in data from committed cards, OR, a merchant that is considered to be level 1 by an association of cards
Pay Retailers has a PCI 1 compliance level.
- PCI compliance level 2: between 1M and 6M Mastercard or Visa transactions per year.
- PCI Compliance Level 3: between 20,000 and 1M Mastercard transactions or e-commerce Visa per year.
- PCI compliance level 4: less than 20,000 Mastercard or e-commerce Visa transactions per year, or up to 1M of MasterCard or Visa transactions per year.
Levels 2, 3 and 4 have the same validation requirements: annual self-assessment using the PCI SSC self-assessment questionnaire, a quarterly network scan by an approved scanning provider (also available through the PCI SSC) and a Certificate of compliance form.
Given the higher level of transactions associated with level 1, the validation requirements are a bit stricter. For compliance with PCI level 1, the merchant is required to conduct annual compliance assessments by a Qualified Security Consultant (QSA), in addition to the requirements for levels 2, 3 and 4.
What can happen if all the aforementioned is not fulfilled? The violation of the data of a customer card would tarnish the reputation of your company, they could also sue you, not for PCI SSC, but for MasterCard and Visa, and possibly for any number of banks.
Compliance with PCI is definitely a complicated process, and with good reason. Customer payment data is at stake, and any company that wants to use them should do everything possible to protect them.
At Pay Retailers, we are proud to say that our customers will always be safe with us.