If one of your retail solutions involves accepting credit card payments, you need to be PCI compliant.
Many online payment processing solutions will tell you their drop-in credit card widgets mean you don’t need to worry about being compliant but this is incorrect. Even if you use a third party to handle collection, processing and storage of cardholder data, you still need to comply and follow the required certification process.
Step 1 – Determining Your Compliance Level
Each credit card brand has their own compliance program that concentrates on the number of transactions just for their credit cards. To confuse matters further, each company differs in their level definitions and submission requirements.
For instance, according to Visa, Level 4 merchants are organizations that have up to 1 million Visa transactions per year. However, MasterCard categorizes organizations with that amount of transactions as Level 3 merchants. American Express does not have a Level 4.
Each level has its own compliance validation requirements. While Visa may classify you as a Level 4 merchant, American Express may view you as a Level 2 merchant.
In order to comply with the validation requirement for a Level 3 American Express merchant, you need to provide quarterly scans. But as a Level 4 Visa merchant, you only need to do so upon the discretion of their bank.
You can visit the below pages to determine the exact level you are by credit card brand and determine retail solutions to increase your Levels:
Ultimately, your PCI Level is decided on by the acquirer banks so it is a good idea to verify your assumptions with the bank.
What to Submit for Compliance Validation
Once you have determined which level you are, you can figure out what you need to provide the acquirer bank with to shop compliance validation.
So if you meet Level 4 requirements, you need to determine which SAQ is the right one to submit. You will also need to find out if you need to submit quarterly external scans.
There are 5 types of SAQs, labelled A through D. The version you need to complete will depend on whether you use your own retail solutions to process payments, accept credit cards and store cardholder data.