All Collections
Merchant Information
Merchant Account Management
PCI DDS Compliance
PCI DDS Compliance

Everything you need to know about PCI DSS compliance and how it impacts your business.

Will Patterson avatar
Written by Will Patterson
Updated over a week ago

Below, is everything you need to know about PCI DSS compliance and how it impacts your business.

Q: First off, what is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) is a set of standards, rules, and procedures designed to protect consumer data in credit and debit transactions and reduce expensive data breaches. Essentially, it’s a set of rules to maintain payment security.

The leading five Card Brands, Visa, MasterCard, Amex, Discover, and JBC, get really upset if you have credit card numbers scribbled on post-it notes, buried in your text messages, or anywhere they can be found by unintended parties. To help maintain payment security, they established the PCI Security Standards Council (PCI SSC) as a governing and administration entity, and it is responsible for all PCI rules and standards.

Q: How does PCI DSS impact my business?

Boulevard is a PCI DSS-approved Level 1 Service Provider. We manage payment processing for you and take the necessary steps to address certain PCI DSS requirements through our own efforts and by providing guidance to our customers.

However, partnering with a PCI DSS compliant provider does not automatically make you, as a business, compliant with PCI regulations. As a merchant who accepts credit/debit cards, you are still responsible for ensuring that your business is compliant with all current PCI requirements.

Q: But what if I run a solo or small operation?

Compared to larger merchants, smaller merchants typically have simpler environments with limited amounts of cardholder data and fewer systems that need protecting. This reduces your overall PCI compliance efforts, but you still need to comply.

Q: What steps do I need to take to become a PCI DSS compliant business?

Step 1: Follow PCI DSS Standards Requirements

PCI DSS standards cover technical and operational system components included in or connected to cardholder data. Here is a list of current requirements as of May ##, 2021, when this document was written:

  1. Install and maintain a firewall configuration to protect cardholder data

  2. Do not use vendor-supplied defaults for system passwords and other security parameters

  3. Protect stored cardholder data

  4. Encrypt transmission of cardholder data across open, public networks

  5. Use and regularly update anti-virus software or programs

  6. Develop and maintain secure systems and applications

  7. Restrict access to cardholder data by business need-to-know

  8. Assign a unique ID to each person with computer access

  9. Restrict physical access to cardholder data

  10. Track and monitor all access to network resources and cardholder data

  11. Regularly test security systems and processes

  12. Maintain a policy that addresses information security for employees and contractors

This checklist is updated by PCI Security Council from time to time. Be sure to visit PCI Security Standards Council website to get the most up-to-date checklist for PCI DSS.

Step 2: Satisfy PCI Reporting Requirements

There are four levels of PCI compliance. Each level has unique reporting requirements based on your business’s total annual transaction volume and number of card transactions. You can find your reporting requirements in the table below:

Level

Applicability

PCI Reporting Requirements

1

Any Merchant processing more than 6M transactions per year

OR

Any merchant that has had a data breach or attack that resulted in card data compromise

OR

Any merchant identified as Level 1 Card Brands

Annually:

  • Report of Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) and signed by an Officer of the company

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

2

Merchants processing 1M - 6M transactions

Annually:

  • Report of Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) and signed by an Officer of the company

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

3

Merchants processing 20K - 1M eCommerce transactions

Annually:

  • Self-Assessment Questionnaire (SAQ) completed by the merchant or by a Qualified Security Assessor (QSA). See more at Completing SAQ

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

4

All other merchants

Annually:

  • Self-Assessment Questionnaire (SAQ) completed by a merchant or by a Qualified Security Assessor (QSA). See more at Completing SAQ

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

A complete list of Approved Qualified Security Assessors (QSAs) can be found here

A complete list of Approved Scan Vendors (ASVs) can be found here.

Q: How much will it cost me to become PCI compliant?

The cost of being PCI compliant depends on the size of your business and transaction volume, so it varies from business to business.

If your business is not compliant with PCI standards, you could be at risk of fines and penalties related to data breaches, card replacement costs, forensic audits, and investigations into your business. It could affect brand image and can have other consequences as well, so it’s not something you want to brush under the rug.

Q: Anything else I need to know?

We realize PCI Compliance isn’t the most exciting topic in the world, but it’s necessary to keep you and your clients protected and is a must if you have big plans for your career and business. So, don’t wait! Follow the PCI requirements today and lay the groundwork for your future success. To learn more about achieving and maintaining full PCI DSS Compliance, visit the PCI Security Standards Council website.

As a PCI DSS-approved Level 1 Service Provider, Boulevard manages your payment processing for you and helps ensure your business is up-to-date with all requirements, so you can focus on honing your craft.

Related Articles
Boulevard Offset
Did this answer your question?