PCI DSS Compliance

All merchants or business owners looking to operate an online business should make themselves acquainted with PCI DSS Compliance.

What is PCI DSS Compliance?

The PCI DSS (Payment Card Industry Data Security Standard) was founded by the schemes (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.) in the hope of creating a secure framework for dealing with customer credit card information. The idea behind PCI DSS Compliance is to ensure that customer’s credit card information is always kept as safe as possible during processing.

The PCI DSS is based around 12 major requirements broken into 6 categories. The entire process of PCI DSS Compliance can be quite overwhelming to merchants and its for this reason that merchants often look to gain assistance from a Tier 1 PCI DSS Compliant Payments Gateway Provider to help them achieve PCI DSS Compliance.

What are my obligations?

If a merchant chooses to deal with all PCI DSS requirements themselves they will need to identify which Tier applies to their online business:

As listed in the above table a merchant’s requirements differ depending on the Tier that their online business is classified in. For most small merchants a SAQ (Self Assessment Questionnaire) and network scan by an ASV (Authorized Scanning Vendor) is sufficient. These requirements may differ from Bank to Bank and that is why a merchant should always ask their Bank what is required from a PCI Compliance perspective when signing up for an online merchant facility.

Larger companies/organizations will need to complete the above as well as have an on-site audit which is performed annually by a Qualified Security Assessor (QSA). A list of QSA’s is provided by the PCI Security Standard Council and can be found here.

Can a payments gateway or processor help?

As a merchant it’s important to understand exactly which Tier you come under in respect to the PCI DSS. Merchants should pay particular attention to the following statement as issued by the PCI Security Standards Council:

“PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.”

Due to the above statement merchants will often implement solutions offered by their Payments Gateway Provider to ensure that their Payments Gateway Provider deals with all customer credit card information. By using a PCI DSS Compliant solution that is offered by a Payments Gateway the merchant can reduce their scope of PCI DSS Compliance or move all PCI DSS liability to their Payments Gateway Provider.

Merchants must understand that there is a difference in being PCI DSS Compliant and being SECURE. If you require a SECURE PCI DSS Compliant solution contact Australia’s Leading Payments Gateway – Merchant Warrior (07) 3166 5489.