/* */

PCI Compliance, PCI DSS & Merchant Account Services Explained

pci dss compliance explainedIf you own a business and you have, or are looking into, merchant account services, chances are you’ve heard the terms PCI compliance and/or PCI DSS. They sound serious…and they are, but do you know what they mean and how they affect your business?

PCI DSS is an acronym for Payment Card Industry Data Security Standard (often it’s referred to as just PCI). This standard was created by the five major credit card companies (AMEX, Discover, MasterCard®, Visa®, and JCB International) in 2004 to ensure that credit card data and customer information is securely processed.

A PCI Security Standards Council was established to develop and oversee PCI Security Standards. All merchants who accept credit card payments must meet specific data security standards. While guidelines are set by the Council, merchant compliance (including penalties and PCI merchant fees) is managed by the individual credit card companies.

PCI compliance isn’t mandated by U.S. federal law, but some states, such as Minnesota, Nevada, and Washington, have enacted laws that protect merchants from liability that may result from a data security breach.

Who needs to comply?

All merchants who accept credit cards, from multinational organizations to small e-commerce merchants, must be PCI-compliant; no matter how many transactions you process, if you accept credit cards, online or off, you have to comply with PCI requirements.

The size of your business does matter when it comes to the specific compliance requirements you need to meet. Each credit card company has its own merchant validation criteria.

Typically, businesses fall into one of the four merchant levels. The chart below shows Visa’s PCI merchant levels; each level is based on a merchant’s Visa transaction volume over a 12-month period (all credit, debit and prepaid Visa transactions).


Depending on your level, you may be required to submit to an onsite assessment, a self-assessment questionnaire (SAQ), or quarterly network scans.

While Visa and MasterCard levels are basically the same, American Express has a separate set of criteria.

PCI Data Security Standards Requirements

There are 12 PCI DSS requirements, which are categorized by six control objectives:



With the frequency of data breaches increasing, the PCI Security Standards Council updated the standards, which went into effect in January 2014. If you haven’t reviewed the standards recently, you should do so as soon as possible to ensure that you’re compliant.

Starting a business?

In you’re just opening a business and you’re looking into a credit card processing solution, your merchant account services provider should take the time to explain the important issues that will impact the way you do business, such as PCI compliance, or the changes coming in 2015 regarding EMV compliance. Not all do, unfortunately, so make sure you find a provider you can trust to keep you informed.

If you have any questions about PCI DSS compliance, EMV terminals, or anything related to merchant account services, call us today, and we’ll gladly help you out.