PCI DSS Compliance Takes Year Round Commitment from Your Payment Processor

When you pay for goods or services online, you expect businesses to follow compliance measures to keep your personal information secure. PCI DSS compliance (Payment Card Industry Data Security Standard) gives consumers this same confidence in your organization.

Customers need to know that every time they make a credit card payment, their information is being safely handled. One slip-up in security could lead to a breach of sensitive data.

Global Average Cost of a Data Breach in 2022

A data breach will hurt your company’s image. It can destroy the trust you've built and put you out of business. That’s why companies rely on payment processors to do the heavy lifting.

Using a PCI DSS Level 1 compliant credit card payment processor reduces your compliance requirements. You are only required to complete the annual self-assessment questionnaire (SAQ).

Have you ever wondered what work your processor does to maintain PCI DSS compliance? How do they keep access to cardholder data safe?

PCI Compliance Level

Level 1:

Merchants processing over 6 million Visa transactions annually across all channels.

PCI Requirements

Every year:

File a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or internal auditor if signed by an officer of the company.

Submit an Attestation of Compliance (AOC) form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

PCI Compliance Level

Level 2:

Merchants processing 1 to 6 million Visa transactions annually across all channels.

PCI Requirements

Every year:

Complete a Self-Assessment Questionnaire (SAQ).

Submit an Attestation of Compliance (AOC) form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

PCI Compliance Level

Level 3:

Merchants processing 20,000 to 1 million Visa ecommerce transactions annually.

PCI Requirements

Every year:

Complete a Self-Assessment Questionnaire (SAQ).

Submit an Attestation of Compliance (AOC) form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

PCI Compliance Level

Level 4:

Merchants processing less than 20,000 Visa ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.

PCI Requirements

Every year:

Complete a Self-Assessment Questionnaire (SAQ).

Submit an Attestation of Compliance (AOC) form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

PCI DSS Compliance: External Audits

PCI DSS compliant businesses must pass a yearly on-site PCI DSS audit conducted by a qualified security assessor. The auditor takes this time to conduct on-site interviews and inspect the security processes the business has in place.

These include inspecting where and how cardholder data is stored, and conducting interviews with employees about standard operating procedures.

“They want to attest to the fact that we are continually following guidelines,” says Ed Bills, PDCflow’s Chief Operations Officer.

PCI compliance guide for businesses

Read the Guide

PCI DSS Requirements: Processes and Internal Controls

The once-yearly PCI DSS audit is important for renewing a compliance certificate. But the real work for PCI DSS compliance takes place daily. Here are just a few of the ways PDCflow maintains PCI Level 1 compliance to protect cardholder data:

SYSTEM SCANNING

Internal scans are used to ensure our systems are free from vulnerabilities. Frequency of these scans is the key. PDCflow runs daily and weekly scans to continually monitor system security.

Third party penetration testing is also useful to monitor system health. Hiring an outside party to look for weaknesses takes advantage of someone with a neutral perspective.

RIGOROUS CHANGE CONTROL

Rigorous change control means that PDCflow’s infrastructure and development teams follow a strict process. Nothing is changed without approval. Approvals help to catch any potential problems that could accompany a change, preventing unwanted outages which impact customers.

MONITORING

Uptime, anomalies and access logs are all monitored. Keeping track of all these components allows any abnormalities to be detected and tended to immediately.

PROTECTING CARD DATA

A responsible payment processor will use encryption to secure any sensitive data that comes into its system. PDCflow encrypts credit card data both at rest and in transit for consumer safety.

SECURE ENTRY OVERLAY

In addition to the routine scans and policies that keep our system compliant, PDCflow offers an extra layer of PCI protection. Our Patented Secure Entry Overlay technology allows businesses to provide a seamless credit card payment process to consumers.

This technology overlays a PCI certified website over a company’s site when cardholder data is keyed in. The sensitive data never enters the company’s site. This frees them from encryption, tokenization and storage–and the PCI responsibilities that go along with such tasks.

PDCflow Secure Entry Overlay Integration

While PCI compliant companies must be audited annually, the goal of PCI DSS compliance is a year-round job.

“You set up the process, follow it throughout the year, and that is what keeps you compliant,” says Bills. There’s no quick fix for getting certified if you’re not constantly working towards that data security goal.

In all, there are four levels of PCI compliance and 12 steps required to achieve it.

Get more actionable insights, tactics and expert advice to improve the payment experience and create better cash flow for your organization. Subscribe for weekly updates or to our monthly newsletter.

Subscribe:

Want to know more about PDCflow Software?

Press ▶️ to watch our explainer video

See how our Flow Technology can create a one-step workflow for your contracts/invoices and payments. Book a demo today.

Book Demo

ONE-STEP PROCESS

Consolidate multi-step processes into one easy step for your staff and customers. Eliminate the need for multiple software vendors. Send all your business transactions in one Flow smart request.

Learn more