Merchant PCI Compliance

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards designed to ensure that ALL companies that accept, process, store or transmit credit/debit card information and/or sensitive authentication data maintain a secure environment and customers and their data are protected no matter where they shop and what channel they use.

Most small merchants can use a self-validation tool to assess their level of cardholder data security.

The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council (PCI SSC) (www.pcisecuritystandards.org), an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). The payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

To whom does the PCI DSS apply?

The PCI DSS applies only to merchants that want to place orders via credit cards. All other payment methods available via API do not fall under PCI DSS compliance.

The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, processes, transmits or stores any cardholder data. Using a third-party payment processor does not exclude a company from PCI DSS compliance. However, it does lower their risk exposure and consequently reduces the effort to validate compliance. There are four merchant levels (SAQ-A, SAQ-B, SAQ-C, SAQ-D) based on the number of transactions/card schemes (VISA, MasterCard)/most recent 12-month period.

Are there any penalties for non-compliance?

Yes, there are. The payment card brands may, at their discretion, fine an acquiring bank up to $500,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. But more devastating than fines, credit card companies can also revoke the right of a merchant to process credit card transactions, providing a “virtual death sentence” for many companies.

What do 2Checkout merchants need to do to be compliant?

To be PCI compliant, merchants need to submit self-assessment questionnaires (SAQs) based on their business environment and implementation type.

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended to meet the needs of particular types of environments.

In which category do 2Checkout merchants fall in?

Based on the type of integration and the overall number of transactions forecasted for a 12-month period, 2Checkout merchants need the following PCI compliance level:

SAQ A is recommended for merchants with less than 20,000 transactions per year (Level 4) and mandatory for those that transact over this threshold.

Specific questions about compliance validation levels and what you must do to validate your SAQ should be addressed to the acquiring financial institution or payment card brand. Below are the major credit card brand compliance programs:

• American Express: www.americanexpress.com/datasecurity

• Discover: www.discovernetwork.com/fraudsecurity/disc.html

• JCB International: http://partner.jcbcard.com/security/jcbprogram

• MasterCard: www.mastercard.com/sdp

• Visa Inc: www.visa.com/cisp

• Visa Europe: www.visaeurope.com/ais

VISA and Mastercard compliance validation levels for merchants

Cart type/merchant level

*ASV = approved scanning vendor