If you process through regular telephone lines you at least have to fill out a simple questionnaire every year. If you use an IP connection you need to follow the below requirements. The questionnaire is at https://www.pcisecuritystandard
There is a lot of confusion about the ever changing PCI security compliance requirements. Much of it is posturing by the credit card associations to a public concerned about identity theft. The truth is the card associations are putting the onus on merchants. They are doing that with the below requirements which if you don’t do and you are singled out MC/Visa will fine you through your processing bank to make sure they have someone who will roll over and pay the fine. The bank who has a hammer over your head because you are processing through them will than turn around and collect the entire fine through you. If you try and change processors to avoid paying the entire fine they will put you on the MATCH list and you won’t be allowed to open a merchant processing account anywhere in the USA. Suffice it to say that you don’t want to be the next merchant in the news for having your customers credit card info compromised. Read the below. Many of you will fall into the Level 4 category so the requirements aren’t too bad. This is directly from Visa’s website to assure accurate information.
(direct link)
http://usa.visa.com/merchants
Merchants
Compliance validation details for merchants
Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.
| PCI Compliance Acceleration Program
Visa developed the PCI Compliance Acceleration Program to provide financial incentives and establish enforcement provisions for acquirers to ensure their merchants validate PCI DSS compliance. In accordance with the PCI Compliance Acceleration Program, acquirers must additionally ensure that all Level 1 and 2 merchants validate that prohibited data is not retained by submitting a completed Prohibited Data Retention Attestation form OR Confirmation of Report Accuracy form to their acquirer. The Merchant PCI DSS Compliance Update highlights compliance progress for level 1, 2 and 3 merchants. |
On this page
Merchant levels defined
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (“DBA”). In cases where a merchant corporation has more than one DBA, members must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, members will continue to consider the DBA’s individual transaction volume to determine the validation level. Merchant levels are defined as:
| Merchant Level* | Description |
|---|---|
| 1 | Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. |
| 2 | Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. |
| 3 | Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. |
| 4 | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. |
* New merchant level definitions effective of July 18, 2006.
** Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Compliance validation basics
In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.
| Level | Validation Action | Validated By | Due Date |
|---|---|---|---|
| 1 |
|
|
9/30/04
New level 1 merchants have up to one year from identification to validate. |
| 2 |
|
|
New level 2 merchants: 9/30/2007 |
| 3 |
|
|
6/30/05 |
| 4* |
|
|
Validation requirements and dates are determined by the merchant’s acquirer |
*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
Validation procedures and documentation
Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Acquirers must submit monthly status reports to Visa and all compliance validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.
Compliance validation takes place at the merchant’s expense, as follows:
-
Level 1 Merchants
The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance.Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Confirmation of Report Accuracy form completed by their assessor to their acquirers.
Acquirers must submit the Confirmation of Report Accuracy form and a letter accepting the merchant’s full compliance validation to Visa upon receipt and acceptance of the merchant’s validation documentation.
Download the PCI Security Audit Procedures.
Download the merchant Confirmation of Report Accuracy.
-
Level 2/Level 3 Merchants
The Annual PCI Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by their acquirer.Download the PCI Self-Assessment Questionnaire.
Level 1/Level 2/Level 3 Merchants
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses.
Download the PCI Security Scanning Procedures.
For more information
To learn more about the CISP, contact Visa via email at AskVisaUSA@Visa.com.
—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten
Son, that whosoever believeth in him should not perish, but have
everlasting life.