Payment Card Industry (PCI) Compliance

PCI DSS compliance is of increasing concern to many merchants. 800 Call-KC currently is a validated service provider or level 1 processor.

PCI Compliance Levels

Merchants fall under four categories of PCI compliance depending on the number of transactions they process each year, whether they process for other merchants, and whether those transactions are performed from a brick and mortar location or over the Internet.

Remember: all merchants that process credit cards, small or large, must be PCI compliant.

Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements and definitions of PCI compliance levels. Even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by the individual payment card brands – Visa, MasterCard, American Express, Discover and JCB International.

To give you a general idea of how to determine your PCI compliance level, here are Visa’s PCI compliance level definitions:

  • PCI Compliance Level 1 – Merchants processing over 6 million Visa transactions annually (all channels) , do processing for other merchants, or Global merchants identified as Level 1 by any Visa region
  • PCI Compliance Level 2 – Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • PCI Compliance Level 3 – Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • PCI Compliance Level 4 – Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

Storefront merchants categorized as PCI compliance levels 2, 3, and 4 must complete an annual self-assessment questionnaire (PCI SAQ) in addition to a required quarterly network scan performed by an approved scanning vendor. The nature of the questionnaires, as well as the deadlines for reaching PCI compliance, varies slightly depending on whether the merchant falls into PCI Compliance level 2, 3, or 4, but the basic requirements remain the same.

Internet-based merchants are also divided into PCI compliance levels 1- 4, with each PCI compliance level defined by the same transaction volumes as those for “brick and mortar” merchants. In addition, internet-based merchants at each PCI Compliance level must undergo a quarterly vulnerability scan performed by an approved scanning vendor. Although some PCI Compliance Level 1 internet-based merchants may be able to perform annual self-assessments (with the permission of their processor and card brand), the vast majority of internet-based merchants will be held to these PCI Compliance expectations.

As a Level 1-validated service provider, 800 Call-KC must have an outside Qualified Security Assessor (QSA) come on site to complete the Report of Compliance (ROC) document and sign off on the report when complete. There must also be external and internal penetration to ensure the systems are safe and secure. First time Level 1 certification can cost as little as $300,000 and up depending on the amount needed for the company to become compliant. Even after 800 Call-KC became a validated service provider, the certification did not stop there. 800 Call-KC must continue to do quarterly external and internal scans, log and authorize all changes to any merchant application, and audit all firewall and router configurations; thus ensuring that the network does not fall out of compliance. An audit will also be required annually with a QSA coming on site and completing the entire ROC process from start to finish. By above requirements you can see that 800 Call-KC is dedicated to ensuring the payment and personal data of its clients.

Tags: , , ,

Leave a Reply


816-231-4321 • 1-800-722-5554

1616 North Corrington Ave • Kansas City, Missouri 64120