In a nutshell, the purpose of PCI Compliant scanning is to create the most secure environment possible for processing credit cards. The PCI (Payment Card Industry) council has 12 main security requirements that all merchants are required to strive for in order to be PCI DSS Compliant. The extent to which the 12 requirements need to be met depend on the number of transactions that a company processes in a year, these are broken into 4 levels. Here's our simplified version (please check the PCI councils site for the exact wording and any updates).
Level 1, any merchant that does over 6,000,000 transactions a year. Basically you need to bring an assessor on-site called a QSA to evaluate your security and create an in-depth compliance report for you. Quarterly PCI Scans are also required.
Level 2, any merchant that does between 1,000,000 and 6,000,000 transactions a year. In lieu of a full compliance report, the PCI Council allows Level 2 merchants to complete a Self-Assessment Questionnaire (SAQ) instead. Quarterly PCI Scans are also required. Level 2 merchants also have an extra one-page form that takes about 5 minutes to fill out that basically states that they don't keep certain types of credit card information on file.
Level 3, any merchant that does between 20,000 and 1,000,000 transactions a year. In lieu of a full Report On PCI Compliance, the PCI Council allows Level 3 merchants to complete a Self-Assessment Questionnaire (SAQ). Quarterly PCI Scans are also required.
Level 4, any merchant that does between 1 and 20,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 4 merchants to complete a Self-Assessment Questionnaire (SAQ). Quarterly PCI Scans are also required.
What do I need to do to become PCI DSS Compliant?
As I mentioned above, the requirement to become PCI DSS Compliant depends on which merchant level you fit into based on the number of transactions you process in a year. As you can see, Levels 2-4 are all basically the same (except the extra form for Level 2). For all three levels, you essentially need to get quarterly PCI Scans performed by an Approved Scanning Vendor (ASV) and you also need to complete an annual Self-Assessment Questionnaire (SAQ). I should also mention that your life will be much more simple and stress free if you don't store any credit cards on your server. If you store your credit cards with your Payment Gateway Provider like Authorize.net, LinkPoint, Paypal, etc., the SAQ is a breeze. If you store credit cards on your own server, then the SAQ gets much more complicated.
PCI Scanning (also known as PCI Security Scanning or Vulnerability Scanning) involves having a PCI ASV (Approved Scanning Vendor) scan any and all IP addresses that the public has access to that have to do with your website or the transaction process. This typically includes your websites IP address, however, if you transfer your customers to a third-party shopping cart hosted by your shopping cart provider during the checkout process, then you should include their IP address to be scanned as well.
Report On Compliance or SAQ is basically a report that you submit to your acquirer or merchant bank is typically the company that helps you process credit cards - this could be a third-party service provider, or your actual bank, it just depends who you signed on with) to show them that you are compliant. The type of report varies depending on the merchant level you fall into.
Once you've completed your PCI Scan, you submit the scan report and other documents to your acquirer or merchant bank.
Once my website is PCI Compliant then what?
Trust Guard gives you have a safer website that makes more sales. Get started today!