We hope our last post worked as a wakeup call for small and medium businesses (SMBs) to realize that they need to accept payment cards into a PCI DSS environment.

Unfortunately, however, many think that PCI compliance can be baffling and over their heads. It’s actually straightforward -- on paper, at least -- but it can be a long process, and can become very expensive, especially as a yearly, recurring expense.

To get an idea, you can access some reliable resources online, such as the PCI Compliance Guide and Focus on PCI, which provide answers to commonly asked PCI compliance questions.

Note: The PCI Council is not a government entity. It comprises credit card-issuing companies (Visa, MasterCard, American Express, Discover and JCB International), who set down the 12 general PCI requirements that merchants must adhere to -- as well as the fines for non-compliance. 

PCI DSS Compliance Levels

Merchants must review the requirements to assess which level they belong to, based on the amount of transactions processed in a 12-month period. Levels also vary slightly for each credit card brand you accept and process. For this reason, you really need to read the fine print to determine your level, per card issuer; e.g., Visa, MasterCard, Discover, American Express.

Too, if you ever do suffer a data breach, future compliance requirements may be affected -- and not in your favor.

The list below summarizes the levels of PCI compliance:

• Level 1: merchants who process over 6 million card transactions annually
• Level 2: merchants who process between 1 and 6 million transactions annually
• Level 3: merchants who process between 20,000 and 1 million transactions annually
• Level 4: merchants who process fewer than 20,000 transactions annually OR non-e-commerce (purely retail) merchants who process up to 1 million transactions annually 

Level 1 encompasses most SMBs, and makes up the majority of merchants -- according to Visa, Level 4 merchants account for 85% of the seven million locations nationwide that accept credit cards. The requirements and recommendations for this level are quite standard across all card brands:

• Annual self assessment questionnaire (SAQ)
• A quarterly network scan by an approved scan vendor (ASV)
• Attestation of Compliance form

For the average company, this time-consuming process may deter SMBs from starting any implementation. That’s where affordable, cloud-based solutions like ShieldQ come in. This service, accredited for PCI DSS Level 1, lets you accept sensitive payment card and personally identifiable information (PII) into a secured, compliant environment, for easy management. With ShieldQ, you don’t have to undergo any lengthy or costly processes: the heavy lifting is done for you.

If you want to learn how you can avoid the time and expense of PCI compliance, contact our team, or give it a try, with no obligation.