Staying PCI Compliant — A Step by Step Guide

If you accept credit cards in your business, you must be “PCI Compliant”. You may be familiar with the term or it may seem foreign to you. Chosen Payments is here to help you understand everything you need to know about it. PCI stands for Payment Card Industry which comprises Visa, MasterCard, American Express, and Discover. Compliant refers to the standards that merchants are expected to abide by in order to process card transactions online. These best practices are collectively known as the Payment Card Industry Data Security Standard (PCI DSS), and they were created jointly by the four brands mentioned. Being compliant means using business practices to provide protection of credit card data.

Who Needs PCI Compliance?

PCI compliance is required for any business that processes, stores, or transmits credit card data. It is not size-dependent. Every merchant must be compliant. Merchants must validate their compliance every year through a self-assessment questionnaire. Chosen Payments provides the self-assessment test for you as well as helps you complete it with guidance. Some of the questions can be tricky. Basically, the assessment determines that merchants are handling transactions properly and safely without exposing the cardholder’s information to any third-party. Different businesses might have different standards based on the number of credit card transactions processed. “Level one” is for the highest volume merchants. The levels go from one to four with “level four” being the lowest volume.

Even if you run a small business with only a handful of transactions each month, you still need to maintain PCI Compliance at all times. Smaller merchants are a bigger target for data hackers since they believe that you likely don’t have extensive security, firewalls and other measures to prevent hacks. Whether a company is large or small, hackers are looking for ways to get in and steal credit card data. You need to know that companies that incur a data breach while not in compliance will be assessed fines by the PCI Security Standards Council. That in itself makes PCI compliance very important to any business that handles online payments. It is well known that large companies such as Target, Marriott, Chipotle and Home Depot made national headlines when they were hacked and hundreds of thousands of credit cards were compromised. PCI Compliance goes a long way toward protecting your business reputation.

STEP 1: Determining Your PCI Level

Merchants that process over six million transactions per year are designated level one. Those that process between one and six million per year are level two. If your business processes 20,000 to one million transactions in a year, that’s level three. Anything less than that is level four.

STEP 2: Knowing the Penalties

The penalties for failing to remain PCI Compliant can include fines, increased fees, sanctions from banks, and could progress to placing you on a watch list that would prevent you from being able to accept credit cards or process them through any credit card processor. In cases of major negligence, businesses that are not PCI-Compliant can be subject to lawsuits and/or criminal prosecution.

STEP 3: Complete a self-assessment questionnaire

You can obtain a self-assessment questionnaire from Chosen Payments or you can visit the PCI Security Standards Council website. There are different questionnaires that apply to different types of businesses. Each one is a series of yes or no questions that help determine whether your business is meeting the requirements of safeguarding your customer’s credit card data. Keep in mind that if you answer “no to any of the questions, it can be considered a red flag.

STEP 4: Maintain a Firewall Protected Network

Some of the questions asked in the assessment are technical questions that only your network administrator may be able to answer. If you rely on a third-party company to maintain your computers and network, you will have to ask them for assistance. There are also questions about firewalls and network security that you might not know the answer to. If you find yourself lost in this area, Chosen Payments can assist you in determining if your network meets the requirements to be PCI Compliant. If you don’t know what a firewall is or whether you have one, you will need assistance. This is a big component of data security. A firewall helps determine internal versus external activity so that your network knows who to trust when someone tries to enter from the outside. Basic PCI Compliance is about using systems that prevent unauthorized access to your network and ultimately to where credit cards are stored within your system.

STEP 5: Complete Attestation and submit to Chosen Payments

An “attestation of compliance”, also known as an AOC is a form you will use to confirm the successful results of your PCI DSS assessment. Once you provide that to us, we will have a qualified security assessor review your assessment just to make sure you are in compliance. We will submit your AOC on your behalf and you will be issued a “Compliance Certificate”. Banks and credit card companies alike may want to see your certificate to ensure protection and you will have it on hand.

All Chosen Payments merchants are notified automatically when your PCI Compliance Certificate is about to expire. We will provide you with a link to the self-assessment. If you require assistance in completing the assessment or have questions about compliance, Chosen Payments can be reached at 855-4CHOSEN for guidance or email us at

Related Posts

Leave a comment