Technically, the PCI Security Standards Council identifies four levels of Data Security Standards compliance, with different requirements corresponding to factors like the size of a merchant, or the number of credit card swipes you process. Understandably, many merchants worry and wonder about which level of compliance applies to them. But the fact is, it doesn’t really matter which level you fall under, at least on a practical level: all that matters is the reporting style your acquiring bank requires.
Questionnaire or RoC
At minimum, an acquiring bank will expect any merchant to fill out a self-reporting questionnaire. This is what the PCI council themselves require of Level 2, 3, and 4 merchants, which includes the vast majority of businesses. This questionnaire includes yes-or-no questions corresponding to all 250+ PCI compliance regulations. A merchant must answer “yes” to every single question to be in compliance.
In the event of a breach, both merchant and acquirer will have to hope the questionnaire has been filled out correctly; otherwise, they may still be subject to fines. Mistaken answers, made in good faith, are unfortunately common. Some acquirers require more exacting reporting – specifically, a formal Report on Compliance (or RoC) from a certified auditor.
The PCI Security Standards Council certifies third-party security firms as Qualified Security Assessors, which is what we are at LBMC. We help merchants verify that they are in genuine and complete compliance and report that compliance to acquiring banks.
As far as the PCI Security Standards Council is concerned, only Level 1 merchants (typically big-name chain retailers) have to get a QSA to submit a Report on Compliance. But many acquirers require an RoC regardless of your size – and the decision is up to them. For acquirers, this rule can limit risk considerably, and many take advantage of the opportunity. This is why determining your merchant level can be a bit beside the point: what you’ll need to do depends entirely on your acquirer’s expectations, which may be more stringent than your level dictates. If you’re choosing an acquirer, it’s wise to find out what they expect for PCI compliance right up-front.
Getting your bases covered
Now we’ve got a comprehensive picture of all the players involved in PCI compliance regulations. The PCI Security Standards Council, backed by the major card brands, maintain evolving rules which acquiring banks enforce at two tiers of stringency. Acquiring banks require either a self-reporting questionnaire or a Report on Compliance, the latter of which is supplied by a Qualified Security Assessor.
When out-of-compliance merchants experience breaches, acquirers may be fined – and may in turn assess fines for the merchant. It’s worth noting that at no point does the government enter the equation. You won’t go to jail for non-compliance. (If you repeatedly flout the rules, you can lose the ability to accept cards.)
PCI isn’t a law – it’s an industry-created, industry-maintained, and industry-enforced set of regulations. In fact, it’s more granular and prescriptive than comparable government standards like HIPAA. Merchants, acquirers, and security experts help to move the guidelines forward, so that in 2014’s Version 3.0 of the DSS, once-hazy requirements are clarified. Whether you’re self-assessing or engaging a QSA, the guidelines can ensure that your data security bases are covered.