Over the last year we have received many questions asking about PCI compliance. What is it? Who is affected? What should we do? Let’s take a minute to break this down.
Several years ago the major financial institutions and credit card companies got together and created a “data security standard” to help safeguard sensitive credit card account information. The result of this was a set of rules for PCI compliance. I say rules, because they are not laws. Rather, it is a section written into your contract with your credit card processing company. Uncle Sam will not come after you if there is a breach, but Visa and MasterCard will. Losses can range from denial of owed credit card reimbursements to civil fines, lawsuits, and severe damage to your professional reputation.
Anyone who has watched the news in the past several months has seen articles on many data breaches across the US. The list of affected companies includes Target, Michael’s, EBay, and many more. This information theft enterprise is a multi- hundred- billion dollar per year industry which affects large and small businesses alike.
Q. To which companies does this data security standard apply?
A. ANY business that accepts credit card payments for goods and services. In other words, many of our clients.
Q. I am a small business, not an international target like Michaels. Do I have to be concerned?
A. Yes. As seen in the chart below provided by Visa, even F1 Solutions meets the level 4 burden and is contractually obligated to comply. The majority of our customers are in the same tier as us; however, some may be in category three. These lower two categories require a network vulnerability scan and a self-assessment questionnaire (SAQ).
Level 1
- Merchants processing credit card transactions annually (all channels) or Global merchants identified as Level 1 by any Visa or credit card region 2
- Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
- The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
- Quarterly network scan by Approved Scan Vendor (“ASV”)
- Attestation of Compliance Form
Level 2
- Merchants processing 1 million to 6 million credit card transactions annually (all channels)
- Annual Self-Assessment Questionnaire (“SAQ”)
- Quarterly network scan by ASV
- Attestation of Compliance Form
- Merchants processing 20,000 to 1 million credit card (e-commerce as well) transactions annually
- Annual Self-Assessment Questionnaire SAQ
- Quarterly network scan
- Attestation of Compliance Form
- Merchants processing less than 20,000 credit card transactions annually
- Annual SAQ recommended
- Quarterly network scan
- Compliance validation requirements set by merchant bank
Level 3
- Merchants processing 20,000 to 1 million credit card (e-commerce as well) transactions annually
- Annual Self-Assessment Questionnaire SAQ
- Quarterly network scan
- Attestation of Compliance Form
- Merchants processing less than 20,000 credit card transactions annually
- Annual SAQ recommended
- Quarterly network scan
- Compliance validation requirements set by merchant bank
Level 4
- Merchants processing less than 20,000 credit card transactions annually
- Annual SAQ recommended
- Quarterly network scan
- Compliance validation requirements set by merchant bank
Q. What happens if I don’t comply with PCI?
A. Honestly, it depends on what happens. If you never have a breach and your credit card vendors do not audit you, then maybe nothing. However, if you are breached and/or if your processor audits you then huge fines, bans from processing credit cards, civil litigation, and damage to your company’s reputation could occur. F1 has chosen not to take that risk. We have self-assessed and have gone several steps beyond just the vulnerability scan of our network.
Q. How should I proceed?
A. Only you can determine the acceptable risk level you and your company are willing to bear. F1 can help you fill out the self-assessment questionnaire and conduct the internal and external vulnerability scans that PCI requires. This is one of the many security services we offer to our customers.
Further details plus a more in-depth explanation of the terms and tiers described in this letter can be found here: https://www.pcicomplianceguide.org/pci-faqs-2/
If you have any questions or would like to discuss this further, Please contact Jennifer at 256-461-0040.
Thanks,
