PCI Compliance
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, transmit, process or store credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.)
What are PCI levels and how are they determined?
PCI levels are a set of criteria created by the PCI SSC to determine the level of security measures that organisations must adhere to in order to protect sensitive payment card information. PCI levels are determined based on the volume of card transactions processed annually.
What are the four different PCI levels and their corresponding requirements?
The four different PCI levels are Level 1, Level 2, Level 3, and Level 4. Each level has different requirements, with Level 1 being the most stringent and Level 4 being the least stringent. Here are the requirements for each level:
| PCI Level | Applicable to | Requirements |
|---|---|---|
| 1 | Organisations that process more than 6 million transactions annually | Must undergo an annual on-site security assessment by a Qualified Security Assessor (QSA) and a quarterly network scan by an Approved Scan Vendor (ASV). |
| 2 | Organisations that process between 1 and 6 million transactions annually | Must complete an annual self-assessment questionnaire (SAQ) and undergo a quarterly network scan by an Approved Scan Vendor (ASV). |
| 3 | Organisations that process between 20,000 and 1 million transactions annually | Must complete an annual self-assessment questionnaire (SAQ) and undergo a quarterly network scan by an Approved Scan Vendor (ASV). |
| 4 | Must complete an annual self-assessment questionnaire (SAQ) and undergo a quarterly network scan by an Approved Scan Vendor (ASV). |
What is an SAQ?
An SAQ, or self-assessment questionnaire, is a document that merchants must complete to assess their compliance with PCI DSS standards. The specific SAQ(s) required, depend on the level of PCI compliance, which is determined by the levels of credit card transactions processed annually and the payment integration methods supported by the merchant (e.g. e-commerce and point of sale)
What are the different types of SAQ?
The different types of SAQs are listed in the table below, including the number of questions applicable to each type. More details on understanding the different types of SAQs can be found by downloading a guide from the official PCI Security Standards Council via Understanding SAQs for PCI DSS
| SAQ Type | Summary of Applicability | Questions |
|---|---|---|
| SAQ A | Applicable to merchants who only process e-commerce transactions and do not store cardholder data. | 22 |
| SAQ A-EP | Applicable to merchants who only process e-commerce transactions but outsource their payment processing to a PCI-compliant third-party service provider, and do not store cardholder data. | 139 |
| SAQ B | Applicable to merchants who only process transactions using standalone, dial-out payment terminals, and do not store cardholder data. | 41 |
| SAQ B-IP | Applicable to merchants who only process transactions using standalone, IP-enabled payment terminals, and do not store cardholder data. | 85 |
| SAQ C-VT | Applicable to merchants who only process transactions through a virtual terminal accessed by an Internet-connected device, and do not store cardholder data. | 87 |
| SAQ C | Applicable to merchants who only process transactions through a payment application installed on a single computer, and do not store cardholder data. | 121 |
| SAQ P2PE | Applicable to merchants using only hardware payment terminals included in and managed via a validated, PCI SSC–listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage. | 33 |
| SAQ D | Applicable to merchants not included in the SAQ categories above. | 329 |
How does ClearAccept help Merchants achieve PCI compliance?
ClearAccept greatly simplifies the PCI compliance requirements for merchants using the ClearAccept payment platform for e-commerce and point of sale processing.
- E-Commerce
The ClearAccept solution uses payment fields that are hosted within the ClearAccept PCI DSS compliant platform, where the cardholder enters all sensitive payment information directly within ClearAccept's secure environment. This reduces merchant PCI scope for this method of integration because the merchant never transmits, processes or stores sensitive cardholder data for e-commerce transactions processed via ClearAccept. - Point of Sale Terminals
All ClearAccept payment terminals are certified using the latest Pin Transaction Security (PCI PTS) standards and are certified as end-to-end encrypted (E2EE) by our Acquiring Bank. E2EE means that Cardholder sensitive authentication data (SAD) is encrypted directly on the payment terminals before it is sent directly to the Acquiring Bank who decrypt and process the payment. This reduces merchant PCI scope for this method of integration because the merchant never transmits, processes or stores sensitive cardholder data for point of sale transactions processed via ClearAccept.
Do I need to be PCI compliant if I use ClearAccept?
ClearAccept is a certified PCI Level 1 Service Provider, which is the highest level of PCI DSS compliance, however PCI DSS applies to any organisation that accepts, transmits, processes or stores any cardholder data, regardless of the number of transactions, and each organisation is responsible for ensuring their business is PCI compliant.
Providing you use ClearAccept for all your payment processing, and depending on your annual processing volume, ClearAccept handles much of the compliance burden and greatly reduces your risk exposure and reduces your effort to validate compliance, however the following are requirements for all Merchants:
- Completing an annual SAQ based on the methods of payment integration defined above .
- Conducting quarterly network scans by an Approved Scan Vendor (ASV).
- Implementing appropriate security measures to protect cardholder data.
- Ensuring that all employees are trained in PCI compliance and understand their responsibilities.
- Reporting any security breaches to the appropriate parties in a timely manner.
Where can I find information on PCI Qualified Professionals?
A list of PCI Qualified Professional, including QSAs and ASVs can be on the official PCI Security Standards Council website via PCI Qualified Professionals Listings Overview
What happens if I'm not PCI compliant?
Failure to comply with PCI DSS standards can result in fines, increased transaction fees, and reputational damage. In some cases, non-compliance can even lead to the suspension or termination of your account with your payment processor.
Further information on SAQs can be found by downloading the following guide from official PCI Security Standards Council Understanding SAQs for PCI DSS
Want to speak to us?
Contact
Products
Resources
Registered Office: 107 Cheapside, London, EC2V 6DN. Company Reg No: 12334838 © All Rights Reserved ClearAccept