Guide For Small Businesses: Understanding and Achieving PCI Compliance

Many smaller business owners may not realize that the Best Practice 6.6 of the PCI Data Security Standard (DSS) became a requirement on June 30th, 2008.  The regulation requires merchants dealing with debit and credit cards to tighten their security by both conducting application code reviews and installing Web application firewalls.  This guide throws out a lot of information, but if you’re a PaySimple merchant, a lot of the work is done for you.  Keep reading to see that as a PaySimple customer, you can qualify for the simplest Type A self-assessment questionnaire.

Best Practice 6.6 of the PCI Data Security Standard was put forth by the PCI Security Standards Council, which issues, maintains, and enforces the PCI security standards that govern payment account data security to which all corporations that deal with payment cards must adhere.  However, across industries, small businesses are struggling to comply with the Council’s standards, designed to protect consumers’ personal data. 

Consumers want to pay with their credit cards and be assured their data is safe; and small businesses want to collect payments in the most convenient way to customers as well as guarantee their data is secure.  But since 2005, more than 80% of the instances of unauthorized access to card data have involved small merchants, according to Visa USA Inc. These small businesses account for 85% of the seven million locations nationwide that accept credit cards.  And if a business is found to not be PCI Compliant, its merchant account will be suspended, leaving the business unable to accept credit cards. 

Not all merchants are evaluated the same in the eyes of Visa and MasterCard, though.  There are several levels of PCI compliance, which are based on the number and type of transactions a business processes a year.

  • Level 1 Merchants - process over 6 million credit card transactions each year. 
  • Level 2 Merchants - process between 1 million and 6 million credit card transactions each year. 
  • Level 3 Merchants - process between 20,000 and 1 million e-commerce transactions each year.
  • Level 4 Merchants - process less than 20,000 e-commerce transactions per year, and under 1 million total transactions per year. The majority of small businesses fall into this category.

Level 1 Merchants are the only ones required to undergo an actual PCI Compliance Audit.   Level 2 and 3 Merchants must complete an annual PCI Self Assessment, as well as quarterly network security scans.  Level 4 merchants must also complete an annual PCI Self Assessment, but in many cases are not required to complete the quarterly network scan.  The self-assessment, results of the network security scan (if applicable), and an attestation of compliance must be submitted to the Acquirer (the company issuing the small business its Merchant Account).   The attestation of compliance certifies that the company has accurately completed the self-assessment, and that the company falls within the applicable processing limits for self-assessment.  The Acquirer is responsible for making sure that all of its merchants are PCI Compliant.

There are four Self Assessment Questionnaires (SAQ), each designed around the way a small business processes its payments. By utilizing the PaySimple Solution as a third party payment processing provider, and making sure that all transactions are directly entered into and exclusively stored in PaySimple Solution 3.0, small businesses performing e-commerce and MOTO (Mail and Telephone) transactions can qualify for the simplest Type A SAQ , which consists of only 11 questions (as opposed to the more complex Type D that contains 226 questions).   The key question in SAQ A is whether the third party provider is certified PCI Compliant—which all PaySimple customers can confidently answer “yes.” 

  • PaySimple customers do need to take the following steps, if they have not already, to assure compliance with Best Practice 6.6 of the PCI Data Security Standard:
  • Determine the appropriate SAQ type for their business.  Instructions for doing this can be found on the PCI Security Standards Council website at: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions
  • Obtain and complete the appropriate SAQ, and submit it along with the attestation of compliance letter to its Acquirer (the company issuing the small business its Merchant Account).   SAQ  Type A, which also contains the attestation of compliance letter, can be downloaded here: https://www.pcisecuritystandards.org/docs/pci_saq_a.doc
  • Level 2 and Level 3 Merchants must contract for quarterly network security scans, and submit a successful scan to their Acquirer. Most Level 4 merchants who utilize PaySimple Solution 3.0 will not need to do their own quarterly scans as they can be certified based on PaySimple’s scans.
  • Take a hard look at their own business environment, and make certain they are operating in a secure manner.  Simple steps like shredding all documents containing credit card numbers, installing virus protection and anti-phishing software on all computers, and implementing strong policies regarding passwords and user ids can go a long way towards protecting against a security breach.