Many parts of the PCI Data Security Standard are technical in nature, and some may even be hard to understand without a certain level of computer experience. We are here to relieve stress and pain and make it easy for you to achieve and maintain PCI compliance. ACE, our security compliance solution, walks you through the PCI compliance process, putting tasks in easy-to-understand terms, so that you won’t get bogged down in technical jargon. ACE enables you to concentrate on what you do best — running your business and serving your customers.
Navigating PCI Compliance
Every merchant who accepts credit cards as payment must comply with the security standards set forth by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC maintains the Data Security Standard (DSS) and ensures that merchants who implement the DSS will have a baseline of security measures in place to protect the credit card data of their customers.
PCI compliance is reported on an annual basis. Maintaining the required level of security takes a constant effort. PCI compliance requires tasks to be performed throughout the year - not just at time of reporting. Depending on how you process credit cards, you will be required to complete a Self-Assessment Questionnaire (SAQ) and quarterly vulnerability scans, or just the SAQ form.
5 Steps to PCI Compliance
Maintaining compliance to the PCI DSS can be broken down into 5 simple steps. ACE helps guide you through each one to ensure you are staying on task and PCI compliant.
1. Conduct an Initial Assessment
The first step in becoming PCI compliant is knowing where you're at and where you need to be. You start by determining your validation type. For merchants who fill out a Self-Assessment Questionnaire, there are 5 validation, or SAQ, types. The SAQ type you use is based on how you process and store payment information.
The five current SAQ types are: A, B, C, C-VT, and D. Each validation type focuses on a common approach to processing credit card payment. Outlined below is a basic overview of the merchants payment processing method allowed for that SAQ type.
- SAQ A - Card-Not-Present/Outsource Processing
- SAQ B - Stand-alone/dial-out terminals only
- SAQ C-VT - Web-based virtual payment terminal only
- SAQ C - POS/Payment Application w/ Internet access
- SAQ D - Store cardholder data/No other SAQ type match
For a more detailed explanation of the SAQ type requirements see the PCI SAQ Documents.
2. Remediate Non Compliant Requirements
Once you know your reporting requirements for PCI compliance you can fix the areas where you might not be in line with PCI standards. The SAQ form details all the requirements you must meet. By familiarizing yourself with the PCI requirements and working to meet those requirements you will achieve and maintain PCI compliance year after year.
Some PCI requirements need to be conducted on a recurring basis. One such requirement is conducting vulnerability scans. Merchants who complete an SAQ C or D must meet the scanning requirement for compliance. These scans need to be performed by an Approved Scanning Vendor (ASV), such as Aeris Secure. In order to be PCI compliant, a merchant must have a passing ASV scan for each quarter of the year.
If you are required to complete a computer system scan, please refer to Scanning Services for more information.
3. Complete the Self-Assessment Questionnaire
Prior to your compliance deadline you will need to fill out the SAQ form in preparation for reporting your compliance status. Filling out the SAQ might seem a bit overwhelming the first time through as there are some concepts that seem foreign. Easy-to-understand help text is available every step of the way at each point of the questionnaire, and Aeris Secure experts are on hand via email and telephone support to make sure all your questions get answered. The end result is that PCI compliance is attainable for every merchant.
4. Complete the Attestation of Compliance
Once you complete the SAQ, and comply with all the requirements by honestly answering "Yes", the final step is to fill out the Attestation of Compliance. The Attestation of Compliance is where you sign your name, and attest, to the fact that you meet all the points in the DSS and are PCI compliant.
5. Submit Compliance Report
Once your Attestation of Compliance is filled out, all that is left to do is report your status to your payment card processor. Because we have relationships with many Acquirers, ISOs, and Merchant Service Providers, ACE makes the process of reporting compliance as easy as the click of your mouse.