Request a callback
Opening hours
Monday08:00 – 21:00
Tuesday08:00 – 21:00
Wednesday08:00 – 21:00
Thursday08:00 – 21:00
Friday08:00 – 21:00
Saturday08:00 – 21:00
Sunday08:00 – 21:00
PCI Compliance for small and medium sized businesses

Are you a small or medium sized business looking for additional information about PCI Compliance?

On our website, PCICompliance.com, you will find useful information on how you can become PCI Compliant.

We also provide cyber security consulting and will allow you to protect your data from hackers.

If you want to check out our latest webinar: Click here

The main services of PCICompliance.com :

  • PCI Compliance consulting
  • Cyber security
  • Consulting and training such as
    • PCI compliance solutions
    • Cybersecurity training

Our cyber security services are especially interesting for small and medium sized businesses who want to become PCI compliant in the USA or abroad.

If you want to read the main faqs related to PCI compliance : click here

PCI Compliance solutions

Does you business need to become PCI Compliant ?

Our PCI Compliance experts are ready to help you protect your business by becoming PCI Compliant.

If you would like to know more about our services click here

How to become PCI Compliant ?

PCICompliance.com® is dedicated to helping you become PCIcompliant and to protect your assets from hackers. Our clients such as hotels or restaurants want to become PCI compliant.

Our PCI compliance experts will assist your rapidly in order to solve your issues.

Our cyber security experts are highly trained and will help you become PCI Compliant as fast as possible.

If you want to find out more about us, just click here

"PCI Compliace"

What are PCI Compliance acquirers ?

On this page, you will find everything about PCIcompliance acquirers.

To whom does PCI DSS apply ?


PCI Compliance applies to ALL organizations no matter what the size is or the number of transactions processed annually that accept store or transmits credit card data. The objective of PCI DSS (or PCI Compliance) is to protect credit card holders from having their data stolen.

You can find the latest PCI Data Security Standard (PCI DSS), PCI Security Standards Council website.

What are the PCI compliance ‘levels’ and how are they determined?


All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period.

Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’).

In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. Bloc 2

If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level. Merchant levels as defined by Visa:

Level 1 : Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2 : Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.

Level 3 : Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

Level 4 : Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

* Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level

Where can I find the PCI Data Security Standards (PCI DSS)?


A: The Standard can be found on the PCI SSC's Website:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

What are the PCI compliance deadlines?


A: All merchant that stores, processes or transmits cardholder data must be compliant now.

However, as a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines.

All deadline enforcement will come from your merchant bank. You may also find more information on Visa’s Website:
http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf.

I’m a small merchant and I only do a few credit card transactions ; do I need to be compliant with PCI DSS?


Yes. All merchants, small or large, need to be PCI compliant.

The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.

If I only accept credit cards over the phone, do I need to be PCI Compliant ?


Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

Does my organization have to be PCI compliant if we only use third-party processors ?


Yes. Simply using a third-party company does not exclude a company from PCI compliance.

It may reduce the scope and therefore reduce the effort to validate compliance.

Nevertheless, your organization still needs to be PCI compliant.

My business operates in different locations, do I need to be PCI Compliant for each location ?


If your business locations use the same Tax ID, then most you are only required to validate once annually for all locations.

Also, if applicable, you will need to submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV).

Are debit card transactions in scope for PCI Compliance ?


Yes, debit card are in scope of PCI Complaince. In-scope cards include any debit, credit, and pre-paid cards with one of the firms that participate in the PCI SSC : American Express, Discover, JCB, MasterCard, and Visa.

if I have an SSL certificate, am I PCI DSS compliant?


No. SSL certificates by itself, do not secure a Web server from attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance, but there are other steps to achieve PCI Compliance.

What are the penalties for noncompliance?


If the payment brands find that the acquiring bank is in breach of PCI compliance, they may fine the acquiring bank from $5,000 to $100,000 per month for PCI compliance violations.

The banks will very likely pass this fine on to the merchant. It is also likely that the bank will either terminate your relationship or increase transaction fees. Penalties are not widely publicized, but they can catastrophic to a small business. We therefore encourage you to read your merchant account agreement, which should outline your exposure.

What is considered ‘cardholder data’?


Cardholder data is not only the credit number, but any personal identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

What is the definition of ‘merchant’?


For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

What constitutes a payment application?


For PCI compliance, the term payment application has a very broad meaning in PCI.

A payment application is anything that stores, processes, or transmits cardholder data. This means that anything from a Point of Sale System (e.g., Verifone swipe terminals, ALOHA terminals, etc.) in a restaurant to a Website e-commerce shopping cart (e.g., CreLoaded, osCommerce, etc) are all classified as payment applications.

What is a payment gateway?


Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the Card Brands. They are called gateways because they take route data coming from different applications to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, Web-based connections or privately held leased lines.

What constitutes a Service Provider?


For PCI compliance, a service provider is considered as any company that stores, processes, or transmits cardholder data on behalf of another entity by the Payment Card Industry (PCI) guidelines.

How is IP-based POS environment defined?


The point of sale (POS) environment refers to a transaction that takes place at a merchant location (i.e. retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP) -based POS is when transactions are stored, processed, or transmitted on IP-based systems or systems communicating via TCP/IP.

What is PA-DSS and PABP?


PA-DSS refers to Payment Application Data Security Standard maintained by the PCI Security Standards Council. PABP is Visa’s Payment Application Best Practices, which is now referred to as PA-DSS. Visa started the program and it is being transitioned to the PCI Security Standards Council (PCI SSC). To address the critical issue of payment application security, in 2005 Visa created the Payment Application Best Practices (PABP) requirements to ensure vendors provide products which support merchants' efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data. See www.visa.com/pabp for more information. The Payment Card Industry Security Standards Council (PCI SSC) will maintain the PA-DSS and administer a program to validate payment applications' compliance against this standard. The PCI SSC now publishes and maintains a list of PA-DSS validated applications. See https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for more information. VISA MANDATE PHASE DEADLINE

1. New PCI Level 4 merchants (including new locations of existing relationships) may not use vulnerable payment application versions – those that store prohibited cardholder data. January 1, 2008
2. New PCI Level 4 merchants using third-party payment software must be either PCI DSS-compliant or use PA-DSS validated compliant payment applications. October 1, 2008
3. ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010


Can the full credit card number be printed on the consumer’s receipt?


PCI DSS requirement 3.3 states "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).” While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy)

Also, PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). See the italicized note under PCI DSS requirement 3.3 “Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN, nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point of sale (POS) receipts).” Any paper receipts stored by merchants must adhere to the PCI DSS, especially requirement 9 regarding physical security. Source: PCI SSC

Do I need vulnerability scanning to validate compliance?


If you electronically store cardholder data after the transaction is complete or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

What is a network security scan?


A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. A scan may be performed by an organization’s IT department or a security service provide, possibly as a condition imposed by some authority. An Approved Scanning Vendor (ASV), for example, is a service provider that is certified and authorized by the Payment Card Industry (PCI) to scan payment card networks. Vulnerability scans are also used by attackers looking for points of entry.

How often do I have to scan?


Every 90 days you are required to submit a passing scan. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).

What if a merchant refuses to become PCI compliance ?


PCI is not a law in itself.

However, if a breach occurs, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc.

The consequences of a security breach can be catastrophic for a small or medium sized business. The cost of becoming PCI compliant and protecting cardholder data are therefore in our opinion well worth it.

I work at home, am I a serious target for hackers?


Yes, home users are arguably the most vulnerable simply because they are not conscious of the cyber security risks. Also because home computers are always connected to the internet, hackers can exploit weaknesses in P2P file sharing systems and messaging apps.

What should I do if I’m compromised?


We recommend following the procedures outlined in Visa’s” What to Do If Compromised Visa Fraud Control and Investigations Procedures” document. Link below. http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf

Do states have laws that requiring data breach notifications to the affected parties?


Yes. California was the first state to make it mandatory to report data breaches to affected parties. The state implemented breach notification law in 2003 and there are now over 38 states that have similar laws in place. See For more detail on state laws, see www.privacyrights.org