A guide on how level 4 merchants become PCI Compliant
Host Merchant Services will walk our customers through the entire process to help them become PCI Compliant. We will run a security analysis for our customers and locate the specific areas that need to be tweaked to become compliant. We will also explain the process in detail and make sure our customers have everything in order to make the process simple and easy. We take the burden off of your shoulders and let you get back to running your business.
For a sample of the process, here is a brief overview of what a Level 4 Merchant (as defined by Visa) needs to do to become PCI Compliant:
Identify your Validation Type as defined by PCI DSS. This is used to determine which Self Assessment Questionnaire (SAQ) is appropriate for your business. The SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. You can find an official overview of the SAQ here. And you can find the documentation for download in PDF format for the SAQ that applies to your business here. But here’s a quick look at what SAQ might apply to your business if you are a Level 4 Merchant:
Complete the Self-Assessment Questionnaire according to the instructions in the Self-Assessment Questionnaire Instructions and Guidelines.
Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). A list of ASVs can be found here. Please note that scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.