MySagePay
Login >

Who Is Required To Be PCI Compliant?

Published

Simply put, any business which accepts credit cards is required to be PCI compliant in order to protect against fraud and data breaches.  

Payment Card Industry Data Security Standards (PCI DSS) are a set of regulations created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure all merchants who accept, process, store, or transmit credit card information do so securely. 

The PCI SSC consists of major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB.

The requirements do vary though, depending on the volume of transactions a business makes over a year.  For instance merchants under level 4 process the smallest amount of transactions per year (less than 20,000) and those under level 1 the highest (over 6 million). 

Even though PCI DSS is not mandatory, failing to comply with these regulations comes with significant penalties and costs for businesses running into hundreds of thousands. 
For a full description of what PCI is, see our “What is PCI?” article for more information.

The Different Levels of PCI Compliance

As mentioned above there are varying levels of PCI compliance depending on how many transactions your business processes over 12 months.


Level 1 
A business that processes over six million transactions annually (online, phone or credit card machine) 

Level 2 
A business that processes one to six million transactions annually (online, phone or credit card machine) 

Level 3  
A business which processes 20,000 to one million transactions online over 12 months. 

Level 4
A business that processes less than 20,000 transactions online annually and processes up to one million transactions annually

How Do You Become PCI Compliant?

Once you determine the level your business sits in you must complete the following in order to become PCI DSS certified:

Level 1 merchants: 

Level 1 businesses are not required to fill out an annual Self Assessment Questionnaire (SAQ) but must complete an annual Report on Compliance (ROC). This is an audit carried out on-site conducted by a Qualified Security Assessor (QSA) 
A quarterly network scan by an Approved Scanning Vendor (ASV) 
Attestation of Compliance Form

Levels 2-4 merchants:

An annual SAQ. Note: There are a number of SAQs, so ensure you fill out the most relevant one to you depending on how your business processes, stores or transmits card data. 
A quarterly network scan by an ASV 
An Attestation of Compliance Form

For a more detailed explanation on how to get PCI certified, see our ‘How Do I Get PCI Certified?’ article for more information.

Conclusion

If your business handles sensitive customer information it is vital you protect against data theft and fraud and comply with PCI regulations. 

Essentially, every business, no matter the level as outlined above, should consider the following in order to become and maintain, being PCI compliant. 

1. Assess

It’s imperative you identify where your business is open to risk. For example, a card reader, online networks and or even a filing cabinet. Any system that captures or stores sensitive data is part of PCI compliance. 

2. Remediate 

Fix any of those risks above. It might be worth speaking to your payment service provider to help you make the process easier. 

3. Report

Compile and submit the required reports depending on your business-level (ROC, ASV, SAQ)  to the acquiring banks and card networks you work with to prove you are compliant (the Attestation of Compliance Form)

Remember, maintaining payment security is serious and can have a devastating impact on your business therefore it’s important you adhere to the PCI Standards. See our ‘Failure to comply with PCI’ article for details on penalties if you don’t meet the requirements.