Taking the Mystery Out of PCI/DDS Compliance

By accepting cards, merchants must comply with Payment Card Industry Data Security Standards (PCI/DDS).

These standards were established by a council representing the four major credit card companies (Visa®, MasterCard®, Discover®, and American Express®).

Although every merchant must comply, not all compliance requirements are the same. Generally, the larger the number of transactions processed, the more stringent the standards.

Compliance levels – The largest merchants (Levels 1, 2 and 3) are major processors of card transactions with significant initial and ongoing compliance mandates. These requirements impact only large companies and are detailed in a Quick Reference Guide in the sidebar of this newsletter.

Level 4 merchants, which include most small and medium-sized businesses, have lesser but still significant PCI DSS requirements. Merchants at this level process either 20,000 or fewer eCommerce transactions (or up to 1 million card transactions annually). They must complete an annual self-assessment questionnaire (SAQ), and, if they are using any outward-facing IP addresses they must undergo a quarterly network scan by an approved vendor, to receive a Certification of Compliance form.

Getting started – The first step in becoming PCI compliant is to complete an SAQ. The volume and type of transactions the merchant handles determine how many questions they may have to answer.

For example, a single-location, small business merchant, with a black box connected to an analog phone line, may have to answer as few as 20 questions. This same merchant connecting via the Internet may have to answer more than 50 security-related questions. If this merchant is also using an integrated, third party software solution, the number of questions will increase further.

Compliance options – Should the complexity of a merchant’s unique situation go beyond their ability to affirmatively answer such questions, there are two ways to speed the compliance process.

The first is to absorb the cost of engaging a third party security assessment company to point out deficiencies and help them comply. The second is to use a bundled solution which provides the added security of encryption and tokenization of card transaction data. When the latter is done, it likely resolves 85-90 percent of the issues related to becoming PCI compliant.

PNC Merchant Services® is here to help – PNC Merchant Services can simplify this process through the Clover® Security Plus bundled security suite, which provides both encryption and tokenization. As an added plus, a tool specifically designed to hasten initial compliance can be used called Clover PCI Compliance.

PCI compliance doesn’t have to be intimidating, or costly. Clover Security can make the process easier at start-up, and provide ongoing safeguards, which decreases the possibility of a data breach occurring.


Quick Reference Guide: Four Levels of PCI/DDS Compliance Requirements

The following is a brief overview from pcipolicyportal.com* of the steps needed to comply with Payment Card Industry Data Security Standards (PCI/DDS). For detailed requirements, our experienced client services representatives are available to assist you at 1-800-742-5030.  

Level 1 – These are the big guys. Merchant level 1 includes any merchant who processes greater than 6 million annual card transactions. Among other requirements, they must undergo an annual onsite audit by a third party security assessment company that will prepare an annual Compliance report that is provided to their acquiring bank. They must also undergo a quarterly network scan by an approved vendor.

Level 2 – These are also big guys, but not quite as big. This level includes any merchant who processes between 1 and 6 million Visa® or MasterCard® transactions. Requirements are similar to a Level 1 processor. Increasingly, most Level 2 and Level 1 merchants do a daily network scan to help detect any possible infiltrations.

Level 3 – This level is specific to eCommerce merchants, i.e., any merchant processing 20,000 to one million annual eCommerce transactions annually. They must complete an annual self-assessment questionnaire (SAQ), undergo a quarterly network scan by an approved vendor, and submit an Attestation of Compliance form.

Level 4 – This level includes most small or medium sized businesses.  Merchants at this level process either 20,000 or fewer eCommerce card transactions or up to 1 million total card transactions annually. Other annual requirements are the same as for Level 3 processors.

* Source: http://pcipolicyportal.com/what-is-pci/merchants


To aid PCI DDS compliance, PNC Merchant Service’s Clover® solution utilizes TransArmor® Data Protection to encrypt sensitive cardholder data while it is in transit from your point-of-sale (POS) and removes it from your processing environment. Learn more »

Please contact us at 1-888-235-6959 if you have any questions or need any assistance.

More Insights eNews

Get helpful articles like this sent automatically to your inbox quarterly.

Subscribe »


Important Legal Disclosures & Information

Visa is a registered trademark of Visa International Service Association and used under license; MasterCard is a registered trademark of MasterCard International, Inc.; Discover is a registered trademark of DFS Services, LLC.; American Express is a registered trademark of American Express Marketing & Development Corp. in the United States and other countries.

The Clover® name and logo are owned by Clover Network, Inc., a wholly owned subsidiary of First Data Corporation, and are registered or used in the U.S. and many foreign countries.

TransArmor is a registered trademark of the First Data Corporation in the United States and other countries.

Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.