subject: Things That A Business Must Do To Satisfy Pci Requirements [print this page] All businesses, both the merchants and the processors must follow certain course of actions to meet the minimum requirements set by the council.
Payment Card Industry is serious in implementing the standards so that quality of service will be incomparable. Those companies who are guilty of taking the regulations for granted will be punished. Thus, several providers take extra effort in customizing their services to satisfy the council's requirements. In fact, since tough competition exists in the industry, others offer a no PCI fee to make the package more appealing. Above all that, both the merchants and the processors must see to it that conformity to guidelines is always observed by following these simple procedures:
Identifying validation Type
Since there are 5 validation types under Self Assessment Questionnaire, first thing to do is to identify which of the types your company belongs. Each type has different instructions and guidelines to follow, which is not applicable to any other type. Whatever is stipulated in the guidelines must be met to be attested as compliant. Below are the different validation types with their respective requirements:
Type 1 - Card not present
This type handles mail to telephone orders only. The company is not allowed to store or process data of any kind instead, must hire the services of a third party provider. Only manual record keeping and reporting is permitted and not electronic tracking.
Type 2 - Imprint machines
Under this type, a company may either be a card-present or a card-not-present merchant; however, its function is confined to the use of imprint machines only. Same as type 1, electronic data storage is prohibited.
Type 3 - Stand-alone, Dial out Terminals only
Basically the same guidelines as of type 2, but the only difference is the use of dial-out terminal connected via phone line to the card processor. Connection through Internet is a violation.
Type 4 - Merchants with POS system
The requirement under this validation types is payment application system connected through the Internet connection. Although the company can't electronically store cardholder's data, the purpose of Internet is to transmit sensitive info to the application vendor. Still, only paper reports and receipts are allowed.
Type 5 - All other Merchants and SAQ Eligible Service Providers
This is specially developed for those businesses that do not meet the criteria set for Types 1 - 4. Since some guidelines may not be applicable, non-applicability or exclusion of certain requirements are provided.
Completing the Self Assessment Questionnaire (SAQ)
Once you have identified your business type, completion of the SAQ must follow. This is sort of a checklist containing the security standards of the PCI. This serves as an evaluation to ensure that the business strictly conforms to the set standards.
Obtaining evidence of passing vulnerability scan
If your business is categorized as either type 4 or 5, you are required to provide evidence that you have passed the vulnerability scan from an approved scanning vendor. This is to ensure that transmission and storage of cardholder's data through Internet is guaranteed safe.
Completing Attestation of Compliance
This is a declaration that your company is fully-compliant to the PCI council requirements. Included under the form are the following: Qualified Security Assessor Company information, Merchant Organization information, PCI validation, and action for non-compliant status.
Submitting all compliance tools to acquirer
Upon completion of SAQ, evidence of passing scan, and Attestation of Compliance; you are required to submit them to your acquirer. Sometimes, other relevant documents may be requested together with the SAQ tools.
The compliance procedures may be extensive and obligatory; however, its purpose is to provide assurance for a safe transaction of clients.
With all the strict requirements of the council, it is understandable to be charged with a compliance fee.
