CoCard Austin's Blog http://cocardaustin.com/blog Credit Card Processing Open Discussion Mon, 06 Apr 2009 03:28:36 +0000 http://wordpress.org/?v=2.6.1 en PCI-DSS COMPLIANCE -What to Do First? http://cocardaustin.com/blog/?p=11 http://cocardaustin.com/blog/?p=11#comments Mon, 06 Apr 2009 03:14:50 +0000 admin http://cocardaustin.com/blog/?p=11  PCI-DSS has been around for a while and is now being mandated more effectively.

https://www.pcisecuritystandards.org/

Good news is that you do not need to hire a consulting firm with a price take of $2,000-$20,000 in most instances but you have to do something about the regulations associated with processing which are coming directly mandated from the card issuers (Visa/Mastercard). 

The first step is identifying what level merchant you are considered you are.   Once you know then you can take the appropriate action.  Note   if you are a level 4 merchant you can wait for your processor to contact you with their mandated program 

PCI Data Security Standard Compliance for Merchants

Merchant Level

Selection Criteria

Validation Actions

Validated By

1

Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year

Any merchant that has suffered a hack or an attack that resulted in an account data compromise

Any merchant identified by any card association as Level 1

Annual On-Site Security Audit

and

Quarterly Network Scan

Independent Security Assessor or Internal Audit if signed by an Officer of the company

Qualified Independent Scan Vendor

2

1 million – 6 million Visa or MasterCard transactions per year

Annual PCI Self-Assessment Questionnaire

and

Quarterly Network Scan

Merchant

Qualified Independent Scan Vendor

3

20,000 – 1 million Visa or MasterCard e-commerce transactions per year

Annual PCI Self-Assessment Questionnaire

and

Quarterly Network Scan

Merchant

Qualified Independent Scan Vendor

4

Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year

Recommended Annual PCI Self-Assessment Questionnaire

and

Quarterly Network Scan

Merchant

Qualified Independent Scan Vendor

Validation requirements and dates for Level 4 merchants are determined by the merchant’s acquirer. Submission of scan reports and/or questionnaires by level 4 merchants may be required.

 

What does this all mean?
This compliance is what is required by MC/VISA of their processors, (First Data, NPC, Etc.) and the above chart is what is what they are being told they must have their merchants doing.  The processors have incurred significant expenses caused by this requirement and they will pass this on the the merchants.   These expenses are the process of contacting, supporting, and maintaining the records to show they have managed the regulation correctly.  

Merchants should expect to see a monthly fee added to their statement or may see an annual fee ranging from 100-450  to pay for this whole process or if they ignore the requirements. 

KEEP IN MIND ONCE YOU COMPLETE THE REQUIREMENTS IT DOES NOT MEAN YOU ARE NOT LIABLE FOR A BREACH OF SECURITY.

 

 

]]> http://cocardaustin.com/blog/?feed=rss2&p=11