If you are a merchant and if you are accepting card payments you must be compliant with the Payment Card Industry Data Security Standard (PCI DSS) as specified by the PCI Security Standards Council (PCI SSC). The compliance process must be completed every year if you need to continue accepting card payments.
Who is a Merchant?
The PCI SSC defines a merchant “as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.”
The PCI SSC has categorised merchants as levels 1-4 based on their annual transaction volume. Merchants who handle transactions exceeding 6 million every year are considered as Level 1 merchants. Merchants who handle transactions exceeding 1 million, but less than 6 million transactions are considered as Level 2 merchants. Merchants who handle transactions exceeding 20000, but less than 1 million transactions are considered as Level 3 merchants. And merchants who handle less than 20000 transactions annually are considered as Level 4 merchants.
In order to ascertain their level, a merchant needs to determine the annual transaction volume with the help of their acquiring bank. Typically, the transaction volume for a year is considered. Then based on the business process, card handling, and data storage determine the appropriate requirements for PCI validation.
Next, use a tool such as the HackerGuardian, or engage the services of a PCI SSC approved vendor, and follow their guidelines for validation. After the vendor ascertains the compliance, the validation requirements must be submitted to its acquiring bank by the merchant. The merchant’s compliance information will be passed on to the brands.