If you accept payment cards at all, you have to comply with some element of the standard. Even if you work with a payment-card processor who offloads the entire transaction and the card data never touches, transits, or is stored on your network, you still have to fill out a minimal self-assessment questionnaire to confirm the requirements don’t apply to you.
There are different self-assessment questionnaires for a variety of scenarios. This is not the complete list, but it gives you an idea of the applicability of the standard. You have to comply with PCI if you accept payment cards and you:
- Only accept card-not-present transactions and fully outsource all functions that handle cardholder data
- Only accept e-commerce transactions and entirely outsource all cardholder-data processing to a PCI-DSS–validated payment processor
- Run an e-commerce site that accepts cardholder data, and you do process or transmit cardholder data on your systems or premises
- Use payment terminals that connect to your payment processor and to no other systems on your network
- Use imprint machines or standalone dial-out terminals connected via phone line to your processor
- Use a computer to enter card-data manually and a secure web browser to access your acquirer, processor, or third-party service provider
- Use a POS system to process cardholder data, either as a brick-and-mortar retailer or mail/telephone-order business
- Store cardholder data
As you can see, PCI covers every imaginable merchant scenario. Each one of them calls for PCI compliance and at minimum, completion of the appropriate self-assessment questionnaire.
How do I comply?
Find out what your “merchant level” is, which is based on the number of card transactions for each brand of card you accept. Merchant levels are different for each card brand. You can get this information as well as other guidance from your acquirer bank. The acquirer bank ultimately sets the standards that determine your merchant level, which self-assessment questionnaire you need to complete, and whether you need periodic scans by an authorized scanning vendor.
What’s new in PCI-DSS?
The latest version of the standard, version 3.2, contains new requirements. Most notable is the requirement to use multi-factor authentication for any individual with administrative access, and for all remote access, to systems that either contain card data or could be used to access card data. ESET Secure Authentication provides simple and affordable two-factor authentication to meet this new requirement.
Here’s the good news
Following the PCI requirements helps you protect your business against embarrassing and expensive data breaches. They’re just good security. If you accept relatively few transactions, the reporting requirements aren’t that onerous. They’re certainly not as onerous as dealing with the aftermath of a data breach.