The purpose of PCI Compliant scanning is to create the most secure environment possible for processing credit cards so that consumers can shop without worrying about fraud or theft. As if that’s not a good enough reason for business owners to be PCI Compliant, compliance also protects business owners from security breach and subsequent bad publicity that can destroy their business, bankrupt them, or just humiliate them to tears. With the exception of film stars, nobody comes back from bad press.
Being PCI Compliant is also a requirement of most merchant’s banks and the Payment Card Industry Council. As difficult as it seems, given the long name and even longer list, it’s not much more than checking off a list. Who doesn’t love checking off lists? The PCI (Payment Card Industry) council has 12 main security requirements that all merchants are required to strive for in order to be PCI DSS Compliant. The extent to which the 12 requirements is dependent on the number of transactions that a company processes in a year. These are broken into 4 levels. You’ll find out simplified version below. For more on PCI Compliance visit our university and the Payment Card Industry Council Website.
Level 1, any merchant that does over 6,000,000 transactions per year. Basically you need to bring an assessor on-site called a QSA to evaluate your security and create an in-depth compliance report for you. Quarterly PCI Scans are also required.
Level 2, any merchant that does between 1,000,000 and 6,000,000 transactions per year. In lieu of a full compliance report, the PCI Council allows Level 2 merchants to complete a Self-Assessment Questionnaire (SAQ) instead (go ahead and celebrate your level 2 status right now! Woot-woot!). Quarterly PCI Scans are also required. Level 2 merchants also have an extra one-page form that takes about 5 minutes to fill out that basically states that they don't keep certain types of credit card information on file.
Level 3, any merchant that does between 20,000 and 1,000,000 transactions per year. In lieu of a full Report On PCI Compliance, the PCI Council allows Level 3 merchants to complete a Self-Assessment Questionnaire (SAQ). Quarterly PCI Scans are also required.
Level 4, any merchant that does between 1 and 20,000 transactions per year. In lieu of a full Report On Compliance, the PCI Council allows Level 4 merchants to complete a Self-Assessment Questionnaire (SAQ). Quarterly PCI Scans are also required.
What do I need to do to become PCI DSS Compliant?The requirement to become PCI DSS Compliant depends on which merchant level you fit into above. As you can see, Levels 2-4 are all basically the same (except the extra form for Level 2). For all three levels, you essentially need to get quarterly PCI Scans performed by an Approved Scanning Vendor (ASV) and you also need to complete an annual Self-Assessment Questionnaire (SAQ). Your life will be much more simple and stress free if you don't store any credit cards on your server. If you store your credit cards with your Payment Gateway Provider like Authorize.net, LinkPoint, Paypal, etc., the SAQ is a breeze. If you store credit cards on your own server, then the SAQ gets much more complicated and you’re possibly going to end up hacked.
PCI Scanning (PCI Security Scanning or Vulnerability Scanning) involves having a PCI ASV (Approved Scanning Vendor) scan any and all IP addresses that the public has access to related to your website or the transaction process. This typically includes your websites IP address, however, if you transfer your customers to a third-party shopping cart hosted by your shopping cart provider during the checkout process, then you should include their IP address to be scanned as well.
Report On Compliance or SAQ is essentially a report that you submit to your acquirer or merchant bank (typically the company that helps you process credit cards). This could be a third-party service provider, or your actual bank, to show them that you are compliant. The type of report varies depending on your merchant level.
Once you've completed your PCI Scan, you submit the scan report and other documents to your acquirer or merchant bank.