We've been getting a lot of questions lately about both merchant and service provider PCI Compliance so we thought we would just write this up for everyone. If you're new to PCI Compliance, here is an overview to get you up to speed. The PCI DSS applies to any merchant or service provider that handles, processes, stores or transmits credit card data.
Merchants
For merchants, the PCI Security Standards Council has provided on-your-honor compliance validation tools in the form of Self Assessment Questionnaires (SAQ's). There are four SAQ's: A, B, C and D. The SAQ's were designed to accommodate both different business types, i.e. restaurant/ecommerce, and different business processing methods, i.e. merchant does/does not handle, process or store credit card data. Larger merchants who are processing millions of transactions per year are required to have an onsite audit conducted by a Qualified Security Assessor.
Here are two examples of how a merchant would choose a particular SAQ:
If an ecommerce merchant accepts credit card payment via their website and then stores the credit card information for future purchases, they would be required to fill out the SAQ D, or the long form as it's known, because they are handling, processing and storing credit card data. SAQ D includes the full ~250 controls in the PCI DSS Standard and requires the greatest amount of time, energy and money.
Conversely, if an ecommerce merchant only accepts credit card payment via their website and does not handle, process and store credit card data by using an API like ours or a hosted page, the merchant can qualify for the SAQ A, the shortest of the four. It includes roughly 20 controls and can be completed very quickly. In addition to this SAQ, some processors and or QSA's will also require that the merchant sign up for a scanning service of outward facing IP addresses - even though there is no credit card data present to be stolen. We've seen it argued both ways.
It is important to note in this second example that if this merchant accepts credit card payments over the phone, in addition to the website, they will no longer qualify for short form SAQ A because they are now processing, transmitting and potentially storing credit card data in their environment. They will instead be required to fill out the SAQ C.
Service Providers
Like merchants, any business that processes, handles or stores credit card data on behalf of a merchant is required to be PCI DSS Compliant. Visa maintains a list of Global PCI DSS Validated Service Providers on their website. Merchants are required to make sure their provider has been validated as PCI DSS Compliant. Achieving the Level 1 compliance requires an onsite audit by a Qualified Security Assessor.
Related posts:
PCI Compliance Basics
Cost of a credit card breach