The FYI on PCI

Data breaches are becoming increasingly common, so merchants need to learn to protect themselves. Hackers can also target service providers, like software (SaaS) companies, to try to find a way to test and process stolen card data. Potential software vulnerabilities can be expensive and dangerous for merchant’s security and reputation.

So how can you tell if your software partner is secure and PCI compliant?

Companies that sell software, Point of Sale (POS), or other technical solutions that process credit or debit cards on behalf of their customer base are considered service providers.

Service providers that store, transmit, or process greater than 300,000 annually in transactional volume across the business’s software are considered Level 1 by the PCI DSS. These providers must be validated onsite by a qualified Quality Security Assessor (QSA), as well as demonstrate compliance via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). They’re also responsible for successfully passing a quarterly network scan by a third-party and must complete the attestation of compliance form.

Level 2 Service Providers (300,000 or less annually) do not need to be validated onsite by a QSA but are required to provide an annual self-assessment with SAQ-D and should complete the remaining points to show compliance.

ASCENT strongly recommends that ALL software providers, regardless of Level, certify their PCI compliance via annual third-party audits and quarterly network scans, to ensure any potential vulnerabilities are found and addressed quickly. We have communicated these recommendations to our software partners.

For merchants, PCI certification will save you money on a monthly basis and could save your reputation by helping avoid a beach. Most merchants in our industry are Level 4 (those who process fewer than 20,000 transactions per year), which helps streamline the requirements to meet PCI specifications.

The official PCI DSS website has a number of helpful resources to assist businesses with questions regarding compliance.

ASCENT also has resources to help guide you through the PCI Compliance certification process; contact us at pci@ascentprocessing.com to set up an appointment, or give us a call at 888-721-9301.