Vendor Safe has developed its solution set with rapid compliance at a reasonable price in mind. Companies should be focused on managing the day to day business, not on the security of the network and credit card data. Let the experts at Vendor Safe do that . . . solving these types of problems since 1989.

What is PCI?
The Payment Card Industry Data Security Standards (PCI DSS), commonly referred to as PCI, is a set of required security practices designed to protect your business from unauthorized access (hacking) that leads to:

• Data Breach
• Theft of Cardholder Data
• Fraud
• Financial Loss to the Merchant

Do PCI Compliance requirement differ for different merchants?
Different expectations apply to merchants at each of the four Levels. VISA ranks merchants according to the following system, applying general PCI Compliance guidelines. The other major credit cards use similar criteria:

Level 1 Merchant Selection Criteria: Any merchant, regardless of acceptance channel, processing over 6,000,000 annual transactions with any one credit card brand.

Validation and Compliance Requirements and Deadline - Sept. 30, 2004

An Independent Security Assessor (ISA) or internal audit (if signed by Officer of the company), and a qualified independent Authorized Scanning Vendor (ASV) must perform:

• Annual On-Site Security Audit at a cost of $15,000 to $25,000.
• Quarterly Network Scan by an Authorized Scanning Vendor (ASV) authorized by the PCI SCC.

Level 2 Merchant Selection Criteria: Any merchant, regardless of acceptance channel, processing 1,000,000 to 6,000,000 annual transactions per year with any one credit card brand.

Validation and Compliance Requirements and Deadline - June 30, 2005

• Quarterly Network Scan by a qualified independent ASV.
• Annual PCI Self-Assessment Questionnaire (SAQ) completed by the merchant and sent to the acquiring bank.

Level 3 Merchant Selection Criteria: Processes 20,000 to 1,000,000 e-commerce transactions per year with any one credit card brand.

Validation and Compliance Requirements and Deadline - June 30, 2005

• Quarterly network scan by an independent ASV as required by the acquiring bank.
• Annual PCI Self-Assessment Questionnaire (SAQ) completed by the merchant and sent to the acquiring bank.

Level 4 Merchant Selection Criteria: Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants, regardless of acceptance channel, not exceeding 1,000,000 transactions per year with any one credit card brand.

Validation and Compliance Requirements and Deadline - Mandatory compliance, Validation is optional

• Quarterly or annual network scan by an independent ASV as required or recommended by the acquiring bank.
• Annual PCI Self-Assessment Questionnaire (SAQ) completed by the merchant and sent to the acquiring bank.

I'm a small, Level 4 merchant, do I have to comply?
Emphatically, YES.

All merchants, regardless of size, are required to implement a Payment Card Industry (PCI)-compliant security system and document their adherence annually. Larger merchants have mostly complied with the PCI standards; however, level 4 merchants lag far behind and the credit card companies and merchant acquirers are stepping up their effort to enforce compliance at all levels.

While merchants have some type of POS system and a merchant account with a bank that enables them to take and process credit card transactions, their store network is often not adequately protected from hackers. This is generally the most devastating point of attack for credit card and identity theft.

According to a December 2008 article in Digital Transactions, Securing the Small Fry, 85 percent of data breaches occur at Level 4 merchants: restaurants and brick and mortar retailers.

What happens if we are not PCI compliant?
Level 4 merchants have been slow to adopt the PCI security standards, although compliance is mandatory, requiring submission of a self-assessment questionnaire (SAQ). If they are subject to a data breach, they could lose their business in fines and compensation fees from the credit card companies, the banks - all merchants are presumed guilty of non-compliance until proven innocent.

Credit card companies have extensive forensic software so that 40% of breaches can be traced back to the merchant, making the merchant responsible for all fraudulent charges, credit card replacement fees, and fines.

The fines and the compensation requirements from the credit card companies can be substantial. An example of actual charges levied on a merchant that experienced a breach:

• Repayment of all fraudulent charges
• $30 per card replacement fees
• Fines up to $500,000 from VISA
• Fines up to $200,000 from MasterCard

What are the dangers of noncompliance?
One restaurant franchise incurred fines and charges of $500K from Visa and $200K from Mastercard. In addition to fines, penalties, and once loyal, now mad customers that consider themselves to be victims of identity theft thanks to you - you must deal with the aftermath, an expensive and time consuming mandatory security audit.
Any level-4 merchant that is breached will automatically be upgraded to a level 1 merchant meaning that from that point forward, an annual PCI compliance audit from a qualified assessor will be required at an annual cost of $15,000 to $25,000.

Video: See how one tavern owner's security was compromised.

What solutions does Vendor Safe offer?
Vendor Safe has reduced the complexity of PCI compliance in two ways - first, by making it easier to understand so you can make prudent business decisions about how to comply; and second, offering affordable monthly fixed-fee PCI Compliance Solutions that are easily and quickly implemented.

Learn more about our PCI Security Solutions.

More information about PCI SSC is available at the Payment Card Industry Security Standards Council website: https://www.pcisecuritystandards.org/