Is your business PCI Compliant? If not, you might be at a higher risk for security breaches and/or subject to fines.
What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements established to ensure that all businesses who process, store, or transmit credit card information maintain a secure transaction environment.
Why is PCI DSS Compliance important?
PCI DSS compliance protects both the business and their customers. Businesses that are not PCI DSS compliant are at greater risk for security breaches and are subject to heavy penalties.
Which credit cards are covered by PCI DSS Compliance?
Credit cards covered include any debit, credit or pre-paid cards branded with the association or brand logos of the five major payment card brands: Visa, MasterCard, American Express, Discover and JCB International.
What are the PCI Compliance Levels?
Businesses are assigned to a level based on their combined transaction volume including credit, debit, and pre-paid cards over a 12-month period. The four levels (from fewest to most transactions) and their requirements are:
- Level 4: Small businesses that process less than 20,000 eCommerce transactions and less than 1 million other transactions annually. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
- Level 3: Mid-sized businesses — those with between 20,000 and 1 million transactions annually fall into this level. Level 3 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
- Level 2: Level 2 businesses conduct between 1 million and 6 million transactions yearly. Level 2 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
- Level 1: “Big box” stores and major corporations are Level 1 companies, which are defined as having a minimum of 6 million transactions per year. In addition to an annual internal audit conducted by a qualified PCI auditor, Level 1 companies may also be required to undergo quarterly PCI scans.
What is PCI Self-Assessment Questionnaire (SAQ)?
A validation tool intended to assist businesses to self-evaluate their PCI DSS compliance.
How often does a business need to complete the Self-Assessment Questionnaire (SAQ)?
All businesses must complete an annual SAQ. The business will receive an email from TSYS/Sysnet Global Solutions or Merchant Protection Program stating the PCI DSS validation will expire soon. The email will provide a link to the compliance website.
What is a PCI Scan?
A quarterly test of system components, processes, and custom software to ensure security controls.
How will a business know if they need to complete a quarterly PCI scan?
The business will receive an email from TSYS/Sysnet Global Solutions or Merchant Protection Program informing you of an upcoming PCI DSS scan. The email will provide a link to the scan dashboard.
If you have any questions regarding PCI compliance or your compliance status, contact the compliance support team at 800.571.3928.
Visit bit.ly/SysnetSteps for a Step-by-step user guide.