Lately I’ve been hearing reports of processors that are starting to charge their customers $19.95 per month for not being PCI compliant. To fix this problem, these processors are requiring their customers to install some PC based scanning software that is supposed to magically make the business PCI compliant, thereby allowing them to avoid the monthly charge.

Let me start out by saying: This is a bunch of crap!

There is nothing that you can just put on your PC that will make your business PCI compliant. This is so far off course that it hardly can be related to PCI. PCI compliance is in reference to networks, computers, hardware and software that play a part in the processing, storage, or transfer of a credit card transaction.

It is now required that every business be PCI compliant, but let me assure you that there is no simple computer program that will do this for any business. Even if only a single computer is used to enter card data, it is unlikely that it is the only piece of the puzzle, and even more unlikely that a single piece of software can guarantee PCI compliance.

Steps to get compliant:

1. Determine whether you need to be PCI compliant. (If you accept credit cards, or play any part in the processing of a credit card, you need to be PCI compliant.)
2. Determine which Level of compliance is required for your business.
   • Level 1: Greater than 6 million credit card transactions per year or any business that has suffered a hack or data breach, or any business deemed Level 1 by card associations.
   • Level 2: 1 to 6 Million credit card transactions per year.
   • Level 3: 20K to 1 Million credit card transactions per year.
   • Level 4: Less than 20K ecommerce, or 1 Million total transactions per year.
3. Fill out the self assessment questionaire (SAQ).
4. Fix every area that you answered ‘NO’ to on the SAQ.
5. Hire an approved scanning vendor (ASV) to perform quarterly scans of any external networks. - All Levels
6. Fix and maintain any failed area of the scan.
7. Level 1 Only: Complete an annual on-site audit by a Qualified Security Assessor (QSA).
8. ** Continue to maintain security of networks and card information! **

Once you complete all of those requirements, and maintain a secure network and business environment, you are PCI compliant. Most of the details of PCI compliance can be found in the SAQ, and on the PCI Security Standards website.

If you’re trying to determine whether PCI compliance is worth it to you, consider this: A security breach will result in a business requiring Level 1 compliance. The cost for level 2, 3, and 4 compliance can be as low as a few hundred dollars per year. The cost of Level 1 compliance can easily reach into the 6 and 7 figures per year.

Some Good PCI Resources:
PCI Answers Blog
PCI Security Standards website
Visa Cardholder Information Security Program
MasterCard SDP Program