If you process credit cards, your organization must meet PCI compliance standards.
PCI compliance scanning is required for any company that deals with credit card information, even if that information is only used for processing transactions and never stored on site or in any kind of database. Data Security Standards were created by the Payment Card Industry to help protect consumers, businesses, and the credit card companies themselves against the threat of system intrusion and credit card fraud.
Getting and maintaining PCI compliance is not a one time event, but a process that requires the help of a specialized partner like ServerScan to manage certain parts of that process.
Step One - Do I Need To Be PCI Compliant?
It is a common misconception that businesses do not need to meet compliance standards if they do not store credit card data, or that only large companies need to worry about PCI standards. These oft-repeated ideas expose your customer's private data to breach and your company to legal liability.
Some US states and other jurisdictions impose additional legal requirements and penalties related to compliance with the data security standards (DSS).
Step Two - How Do I Become PCI Compliant?
Different credit card companies have different classifications for things like merchant levels, so you may find it easier to focus on what you need to do rather than what level you are. If you want to know your level anyway, check out our PCI merchant levels page.
Requirements by Merchant Level
Credit card processors may increase security requirements for businesses that they deem to be high risk, especially if those businesses have been compromised in the past.
Step Three - Set Up Quarterly Scans
Your website needs ASV (Approved Scanning Vendor) scans at least quarterly to meet DSS requirements. PCI scanning tests for known exploits or vulnerabilities. If any are found, your scan will let you know where your security is weak and what needs to be done to fix any issues.
Quarterly scans are required, but you can use ServerScan to scan your website more frequently (as much as every day). There is no extra charge for scanning more frequently, and scans more frequent than once per quarter depending entirely on your opinion of your organization's security needs.
Step Four - Complete Your Self Assessment
All merchants must complete a self-assessment questionnaire (SAQ). Depending on your classification, you will either complete form A, B, C, C-VT, or D.
Form A - Merchants who accept only card-not-present (E-commerce, mail, or telephone) transactions, and exclusively use outsourced service providers to collect, handle, and process credit card data functions. If your servers ever receive or send credit card information, then this form is NOT for you. This form is intended for organizations who retain only paper records of cardholder data. It is not intended for organizations that store, process, or transmit any cardholder data on their systems.
Form B - Card transactions from a dial-out terminal or via credit card imprint machine. No electronic card data storage. This form is generally for brick-and-mortar or mail/telephone businesses. This form is not for any business that has payment systems connected to the internet.
Form C - Payment application systems connected to the internet. No electronic card data storage.
Form C-VT - Web-based virtual terminal transactions only. No electronic card data storage. This form is for merchants who only manually enter a single transaction at a time into a web-based virtual terminal which is hosted by a 3rd-party service provider. The computer accessing the virtual terminal must be on a dedicated private network, isolated from your other computers. Cardholder data is not otherwise received or tramsitted electronically. Merchants who use this payment configuration are generally brick-and-morter or mail/telephone businesses with relatively low transaction volumes.
Form D - Any other merchant or service provider. If you store cardholder data electronically (not recommended unless absolutely necessary) this is the form you should use.
Inside your Server Scan account, you will find links to all of the most recent PCI 3.1 SAQ forms for your convenience.