Any company that conducts business online and processes payments using credit card or bank account information must obtain PCI Compliance. The criteria for PCI Compliance was set by The
There are a few key players when it comes to processing credit card or ACH payments via the Internet. These include the merchant, the cardholder and payment gateways. When it comes to PCI Compliance, the merchant is the term used to describe who is accepting a payment for a good or service. The cardholder is the person or business purchasing the good or service and the payment gateway is what links all parties involved in the transaction. Thus, when an order is placed in your web store, you submit that data to a gateway. The gateway will then pass the data via a secure connection to the merchant’s bank account. The merchant’s bank account then submits that information to the credit card network that will pass the information to the customer’s bank. This is where the transaction will be approved or declined. Once this step has been complete, all the data is sent back the way that it came ending in the merchant’s bank with either funds or a note that the transaction was declined.
When it comes to transaction processing online, there are four different levels that merchants fall into, one through four. What needs to be completed in order to obtain compliance is based on these levels.
- A level one merchant process more than six million transactions each year
- A level two merchant processes between 150 thousand and six million transactions each year
- A level three merchant processes between 20 thousand and 150 thousand transactions each year
- A level four merchant processes less than 20 thousand transactions each year
Requirements to obtain PCI Compliance for these different levels are as follows:
- Level 1: Annual report on compliance, quarterly network scan and completion of Compliance Form
- Level 2: Annual self- assessment questionnaire, quarterly network scan and completion of Compliance Form
- Level 3: Annual self-assessment questionnaire, quarterly network scan and completion of Compliance Form
- Level 4: Quarterly network scan if applicable, annual self-assessment questionnaire recommended and compliance validation requirements as set by acquirer
Once you have determined what level you fall into, how do you get started with obtaining PCI Compliance? The standards set by the PCI DSS have 12 requirements that can be broken up into three steps: assess, remediate and report. These will be covered in part two of this piece on ACH/