Thursday, June 30, 2016
PCI Compliance


Presenting a variety of payment options to your customers is important in today's competitive marketplace.  Safeguarding the security of these transactions benefits both you and your customer.   The Payment Card Industry or "PCI" security standards were established by the card associations to ensure everyone involved with electronic payments do their part to make consistently safe and secure transactions a reality. That is why Concierge Payment Systems provides PCI compliant solutions for all varieties of electronic of payments.


PCI DSS Summary

All businesses that accept or processes payment cards, must comply with the PCI DSS (Payment Card Industry Data Security Standards). This means any business or merchant that stores, processes and or transmits card holder information are now required to be PCI compliant.

PCI DSS is a set of requirements for enhancing data security. This originally began as individual programs from Visa, MasterCard, American Express, Discover, and JCB. To facilitate the broad adoption of consistent data security measures Visa, MasterCard, American Express, Discover, and JCB aligned their individual policies to release the Payment Card Industry Data Security Standards.

Levels of PCI Compliance

Compliance with PCI DSS helps reduce your exposure to fraud losses that can result from the theft of cardholder data.  It also increases consumer confidence, which could result in higher sales for your business.  The PCI  Security Standards Council has made compliance fairly easy by splitting it into four basic levels.  

Depending on your POS environment, you may need to complete a Self Assessment Questionnaire (SAQ) and have mandatory quarterly network scans. The SAQ contains multiple choice questions designed to understand your card acceptance and processing environment.  The quarterly network scans identify those external facing IPs that are not secure through vulnerability testing.  Unsecured systems could provide an opportunity for hackers to steal valuable cardholder data, leading to a data compromise or security breach.

The requirements for each level differ:

Level 4

This level is for small businesses processing less than 20,000 eCommerce transactions and less than 1 million other transactions each year. Level 4 businesses are required to complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).  Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 3

The mid-sized companies at this level range between 20,000 and 1 million transactions annually. They must complete an annual risk assessment using the appropriate SAQ.  Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 2

Companies at Level 2 conduct anywhere between 1 million and 6 million transactions annually. They must conduct a risk assessment each year, using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 1

This is the level of major corporations and “big box” stores. Level 1 companies have a minimum of 6 million transactions per year. They must have an annual internal audit conducted by a qualified PCI auditor. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

PCI Compliance Steps


Concierge will work with you to understand which requirements apply to your environment and how to complete or review your compliance.

 More details are available at the PCI Security Standards website.