A merchant that transmits, accesses, or stores customer cardholder data is obligated to adhere to strict PCI DSS compliance.
PCI DSS (Payment Card Industry Data Security Standard) Compliance is a set of requirements designed to ensure all merchants maintain a secure environment. Essentially, any merchant that has a Merchant ID and accepts credit cards is affected by PCI DSS requirements.
Meritus shares the responsibility to manage and educate merchants about the standards determined by the PCI Security Standards Council founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
PCI compliance may seem difficult and confusing. In addition, compliance is an ongoing process, and not a one-time event. A relationship with Meritus ensures that you can focus on your business while we continuously guard and ensure your compliance, security and reputation for continued growth and success.
For merchants that have PCI DSS questions or concerns, please contact Meritus 888-851-7558. For more information on PCI DSS and a full listing of requirements, visit www.pcisecuritystandard.org.
Understanding PCI DSS
The requirements for compliance validation are different according to merchant level.
What’s your merchant level? More
Level 1 is any merchant that does over 6,000,000 transactions a year. Quarterly PCI scans are required. A Qualified Security Assessor (QSA) is needed on-site to evaluate security and create an in-depth Report On Compliance.
Level 2 is any merchant that does between 1,000,000 – 6,000,000 transactions a year. Quarterly PCI scans are required. In lieu of a Report on Compliance, Level 2 merchants can complete a Self-Assessment Questionnaire (SAQ) instead. Level 2 merchants also have an extra one-page form to fill out that states they do not keep certain types of credit card information on file.
Level 3 is any merchant that does between 20,000 – 1,000,000 transactions a year. Quarterly PCI scans are required. In lieu of a Report on Compliance, Level 2 merchants can complete a Self-Assessment Questionnaire (SAQ) instead.
Level 4 is any merchant that does between 1 – 20,000 transactions a year. Quarterly PCI scans are required. In lieu of a Report on Compliance, Level 2 merchants can complete a Self-Assessment Questionnaire (SAQ) instead.
Take the First Step
Before a merchant is certified as compliant according to PCI DSS requirements, the merchant must pass a self-assessment questionnaire and if applicable, a Quarterly Scan to test vulnerability.
What is a Self-Assessment Questionnaire (SAQ)?More
The “SAQ” is a Yes/No question survey about the merchant’s card acceptance and processing environment. It is used to identify the merchant’s risk level and assess their compliance with the following requirements: cardholder data policies, procedures, administrative controls, assess controls, and physical security measures. Meritus offers a very easy tool to assist with completing the SAQ so that you can easily become compliant.
What is a Quarterly Vulnerability Scan?More
PCI Security Scans are scans conducted over the Internet by an Approved Scan Vendor (ASV). The Security Scans are used in conjunction with a vulnerability management program, and help identify vulnerabilities and errors in the configuration of web sites, applications, and information technology (IT) infrastructures with Internet-facing internet protocol (IP) addresses.
PCI DSS Compliance with Meritus
For the safe handling of cardholder data, Meritus champions PCI DSS. We have negotiated preferred pricing on compliance services with our trusted third-party assessor of choice. The third-party assessor’s service portal makes compliance validation quick and easy.
Get started: https://www.pciapply.com/pci_meps_login.aspx
Non-Compliance
What happens if a merchant is not PCI DSS compliant? More
Merchants must comply with the Payment Card Industry Security Standards. Any merchant that has a security breach or otherwise compromised card holder data and is found to be non-compliant is subject to fines from the card associations. For example, Visa members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident. Other intangible financial losses include losses to the business, the brand, and ultimately loss of customer trust.
Additional Information
PCI DSS Security Scanning Procedures: https://www.pcisecuritystandards.org
Learn more about how the card associations uphold PCI DSS compliance by visitng the websites listed below.
Visa CISP: http://usa.visa.com
MasterCard SDP: http://www.mastercard.com
American Express DSOP: https://www.americanexpress.com
Discover Network DISC: http://www.discovernetwork.com