This article will give you an overview of PCI compliance regulations and suppliers for UK merchants, as well as the cost of PCI compliance. Learn about the different PCI compliance levels and how to comply with PCI DSS under each of these categories.
What Is PCI?
PCI DSS is an acronym that stands for Payment Card Industry Data Security Standard. PCI DSS is an information security standard for all businesses around the world that handle cardholder information for the major debit and credit cards.
This means that any merchant accepting card payments face to face with a PDQ machine, online through a payment gateway or as a MOTO payment through a virtual terminal must comply with PCI DSS, or ensure that the services he or she uses are PCI DSS compliant.
PCI Compliance Levels & Requirements
PCI Compliance Levels are worked out based on a number of factors, including the size of a business, the amount of transactions processed per year, and the method through which these transactions are processed.
There are four different levels, but each credit card provider (Visa, MasterCard, American Express and so on) have different requirements to ensure they meet the PCI DSS. All levels are subject to a self-assessment questionnaire in order to assess if they are PCI compliant.
The details of each level are outlined below:
|Level||Merchant Criteria||Validation Requirements|
|1||Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region||• Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company|
• Quarterly network scan by Approved Scan Vendor (“ASV”)
• Attestation of Compliance Form
|2||Merchants processing 1 million to 6 million Visa transactions annually (all channels)||• Annual Self-Assessment Questionnaire (“SAQ”)|
• Quarterly network scan by ASV
• Attestation of Compliance Form
|3||Merchants processing 20,000 to 1 million Visa e-commerce transactions annually||• Annual SAQ|
• Quarterly network scan by ASV
• Attestation of Compliance Form
|4||Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually||• Annual SAQ recommended|
• Quarterly network scan by ASV if applicable
• Compliance validation requirements set by merchant bank
PCI Level 1
Level 1 refers to businesses that process over 6 million payments a year and therefore applies to large companies and those who deal with a large volume of sales or payments.
Businesses must complete an annual self-assessment questionnaire and are subject to quarterly scans via an ASV (PCI SSC Approved Scanning Vendor). Merchants who have suffered a major attack or hacking of data will also be classed as Level 1.
This level of PCI compliance costs the most, since it usually affects large companies who have lots of software and hardware to upgrade to meet security standards. There are also the added costs of training an internal auditor.
PCI Level 2
Level 2 refers to businesses that process between 1 million and 6 million payments a year. In order to ensure Level 2 PCI DSS compliance, businesses must complete an annual self-assessment, are subject to a quarterly ASV scan, as well as an on-site assessment.
PCI Level 3
Level 3 refers to businesses that process 20,000 to 1 million payments a year via ecommerce, and therefore could apply to both large and medium sized businesses. Level 3 requires an annual self-assessment as well as the quarterly security scan by the ASV.
PCI Level 4
Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to 1 million payments via other channels.
PCI DSS Compliancy Requirements
In order to accept card payment either face to face or online, you will need to meet certain security requirements. These ensure security and fraud protection when you store, process or transmit cardholder data.
Meeting these requirements is usually what causes PCI compliance costs to be so high, as your your systems, including software and hardware, may need to be upgraded.
You will have to install and maintain a firewall configuration to protect cardholder data, as well as ensure that you do not use any vendor-supplied defaults for system passwords to prove that your site is secure.
Make sure that the transmission of cardholder data across public networks is encrypted in order to protect data that has been stored on your systems.
Vulnerability Management Program
This involves using a regularly updated anti-virus software on all systems that could be affected by malware, in order to ensure that secure systems and applications are in place.
Restrict Access To Data
By assigning a unique ID to each person with computer access; and limiting physical access to cardholder data to key personnel, you will be able to prove that you have implemented strong access control measures.
Regularly Monitor And Test Networks
By tracking and monitoring all access to network resources and cardholder data, you will be able to identify any weak spots that could compromise your security.
Maintain a policy that addresses information security.
Although most merchants already have most processes that protect cardholder information and data in place, having formal structures implemented will ensure that preventative measures are maintained, and will avoid potential liability in the event of fraud due to the theft of data.
In addition, merchants who were not PCI DSS compliant at the time of a security breach (that resulted in cardholder information being accessed) can also be fined in line with credit card scheme penalties.
Cost for PCI Compliance
The costs of securing PCI compliance vary according to a number of factors, including the business size, their annual revenue, the amount of transactions processed a year as well as factors such as whether they have been the targets of hackers and security breaches.
The reason these PCI compliance costs can vary includes factors such as whether businesses need to upgrade their software, which can have a huge impact on businesses with a lot of equipment to upgrade. For businesses whose systems are up to date and meet security requirements, the cost of PCI compliance can be low. Mostly, compliance costs result from the need to upgrade security systems and processes.
Most merchant account providers offer services to ensure that businesses are PCI compliant, and will manage this on their behalf for around £20 a year. There may be additional costs for ASV scans, which could be priced at around £35 a quarter.
Businesses may also be charged a ‘non-compliance' fee based on the efforts of the merchant account to work to make them compliant, and will drop this fee once the requirements are met.
All businesses, including large and small businesses, need to ensure compliance no matter what their revenue is and any costs associated by making sure that they are compliant should be considered in advance.
PCI Compliance Assessment
PCI compliance is monitored by the PCI Security Standards Council (PCI SSC), which is an open forum that operates globally to organise, develop and implement data protection security standards. They strive to ensure that all businesses that handle credit and debit transactions are aware of and respect all data security measures, regardless of their location.
Although the PCI Security Standards Council is an independent organization, it was founded by American Express, Discover, Mastercard, Visa and JCB International, in order to ensure that people using their services online or otherwise were being protected.
The primary purpose of data regulation under PCI compliance is to reduce payment card fraud over the internet, and increase data security for the cardholders.
Merchants are required to complete a self-assessment questionnaire in order determine that they meet the appropriate guidelines and then are subject to a security test via an ASV if their transactions are carried out over the internet, or if any personal details are stored.
The best way for businesses to determine which level they belong to is to speak to the merchant account providing services on their behalf. They will have an accurate number of the transactions processed and can offer advice to help answer some of the questions on the self-assessment form.
Penalties for Non-Compliance
Merchants who are non-compliant can be faced with huge fines. In cases of compliance violations, payment brands can fine the acquiring bank anywhere from £3000 upwards.
The banks then pass this fine down until it reaches the merchant, which for most businesses, can be a damaging amount. Your bank can also choose to terminate your account, or increase your transaction fees.
PCI Compliance Service ProvidersTrustWave
Trustwave is one of the leading providers of PCI compliance solutions, working with major credit card processing companies such as Barclaycard. They cover all business types from small businesses through to large businesses, as well as online, face to face and over the phone sellers.
Not only can they ensure that businesses themselves are compliant, but they can also check that merchant account companies and service providers are also PCI compliant in order to then offer this service to their clients.
Offering services including security training, actual compliance services as well as reviews and audits of systems, Trustwave are a recommended service who will ensure total compliance with solutions best suited to your needs.Verizon
Verizon are another major provider of PCI compliance solutions, who can help businesses as well as service providers to ensure their systems are secure and are in the best interests of their clients.
Offering services which include business impact analysis, readiness assessment, compliance management and consulting, Verizon can offer a complete range of services to get a business PCI certified. They can help businesses at all PCI compliance levels by tailoring the appropriate services for their needs.
Reliable and affordable, Verizon already provide PCI compliance services to businesses including Elavon Merchant Services Europe, Monitise and others.K3DES LLC
K3DES are the recommended PCI compliance service provider by PayPal, using effective analysis and management to ensure that businesses are PCI compliant at every level.
Their broad range of services includes assessments, training, vulnerability scans (both internal and external) as well as application penetration testing and more.
An expert in PCI compliance, K3DES come approved from the PCI Security Standards Council which gives businesses assurance that their PCI compliance needs are in safe hands.
Offering businesses of all sizes tailored PCI compliance solutions, the company will work with clients in order to ensure proper certification.Sysnet
Sysnet provide PCI compliance solutions for businesses all over the world, including World Pay. They offer a comprehensive range of services to ensure that businesses meet PCI standards whilst also checking these regularly to ensure that they continue to meet expectations.
They provide assessment, consultancy and validation services as well as carrying out their own ASV scanning and penetration testing. With a broad range of services which can be used by businesses of any size, at all PCI compliance levels, Sysnet are a recommended choice for businesses.
The above are just some of the recommended PCI compliance service providers who can give businesses the tools they need in order to ensure that they are PCI certified and that they can offer their customers the best level of service and security and ensure protection against identity theft.
The most important step is to develop a system inventory to identify all the systems that store, process, or transmit your customers' payment card details. Documenting the flow of this data will identify the systems that need to be protected, and the security that needs to be implemented to keep them protected.
Get a detailed list of the most relevant merchant account services for your business by filling out the form above with your details and Expert Market UK will bring you results based on your business needs.