PCI Explained and Demystified and How AmeriCommerce is PCI Certified

|
2/6/2020

Did you know PCI Compliance is mandatory for any business that processes, transmits, or stores credit card information?

In other words if you are selling retail or online and accept a credit card then you fall under PCI Compliance. In order to become PCI Compliant an organization must follow the Security Standards set forth by the PCI Council. This council is made up of five founding global payment brands as well as some strategic members. The PCI Council has come up with a comprehensive set of requirements called the PCI Data Security Standard. The PCI DSS provides a framework in which to build security processes.

Yes, it's like alphabet soup to explain this, but humor me, this is a critical concern for store owners.

So, if you are just now realizing that PCI Compliance is required you probably have several questions going through your head now.

Is AmeriCommerce PCI Compliant?  How do I become PCI Compliant?

Well don’t fear just yet. I will answer these questions for you here.

To answer the first question yes, AmeriCommerce is PCI Compliant. In fact we are Certified Level 1 PCI Compliant. Level 1 is just the Compliance level that we fall under because of the amount of transactions we do annually. I will explain that more in detail a little later.

As part of the certification process for Level 1 PCI Compliance we required an onsite audit by a Qualified Security Assessor (QSA).  AmeriCommerce had Trustwave, the largest and most thorough, come in and perform a very rigorous audit on all of our systems and procedures.

How do I become compliant? First of all would be to get started with the PCI DSS. They are consist of 12 general requirements designed to:

  • Build and maintain a secure network;
  • Protect cardholder data;
  • Ensure the maintenance of vulnerability management programs;
  • Implement strong access control measures;
  • Regularly monitor and test networks;
  • Ensure the maintenance of information security policies.

Once this is in place find out what Compliance Level you fall under. This can be kind of tricky since these are governed by the card brands themselves. To give you an idea this is what Visa’s PCI Compliance levels are and their requirements.

Level / Tier1

Merchant Criteria

Validation Requirements

1

Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2

  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or internal auditor if signed by officer of the company
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form

2

Merchants processing 1 million to 6 million Visa transactions annually (all channels)

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

3

Merchants processing 20,000 to 1 million Visa e-commerce transactions annually

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

4

Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank

 

At this point I’m sure many of you are staring at the screen wide eyed thinking how I can do all this.

Well not to worry.

By choosing a PCI Compliant cart like AmeriCommerce that has gone through the certification process already will help out a bunch. AmeriCommerce has done the legwork by putting up Firewalls, Intrusion Detection/Prevention Systems, Log Management, File Integrity Systems, Encryption Systems and much more.

You will still be responsible for your environment but have a peace of mind knowing your  E-Commerce platform is safe and secure.  The Annual SAQ and Quarterly scan by an ASV will still be required as well regardless of how you are selling- Retail or Online.

In wrapping up you can see that there is a lot involved in becoming PCI compliant, and even more in becoming certified. AmeriCommerce is following the guidelines and doing much more to keep your data safe and secure.