Companies of all sizes that intend to accept credit card payments, and store, process and transmit cardholder data must meet PCI compliance. This includes e-commerce companies that offer software and bill payment solutions by providing PCI compliant Software-as-a-Service (SaaS).
Additionally, PCI compliance applies to anyone that has access to the servers that house cardholder data, including anyone that creates or manages servers. If your company outsources data hosting to a third-party data center, they must also be PCI compliant or you may be held liable for failing to be compliant.
Even if you outsource PCI hosting with a third-party company, your company's internal processes are still examined for PCI compliance to ensure you are meeting security regulations.
According to the different PCI Compliance Levels, if your company deals with 6 million transactions per year or more, you are subject to the full level of law for PCI. This means you must employ the services of an auditor to ensure that you meet PCI requirements by validating your systems and processes.
However, if you deal with under 6 million transactions per year, you are not required to employ an auditor. Instead, you have the option of filling out a self-completed questionnaire that asserts you are PCI compliant.
Even if your company only deals with 10,000 credit card transactions a year, you still must follow PCI compliance laws, even if filling out self-completed questionnaire.
Merchants that evaluate their own security with a self-assessment questionnaire (SAQ) must fall into the following categories:
- SAQ A: E-commerce, mail or telephone-order merchants with all of their cardholder data services outsourced (does not include face-to-face merchants).
- SAQ B: Merchants that only use imprint-machines to copy payment card information. They do not store any electronic cardholder data. This also includes standalone, dial-out terminal merchants with no electronic cardholder data.
- SAQ C-VT: Merchants that use only web-based virtual terminals with no electronic cardholder data storage. Virtual terminals don’t read data directly from a payment card, and are connected to the Internet via a third party that hosts the virtual terminal payment processing function.
- SAQ C: Merchants with payment application systems connected via Internet with no electronic cardholder data storage. Merchants need to ensure their payment application software vendor can also meet PCI compliance regulations, and that the system is not connected to any other systems in your environment.
- SAQ D: This includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete a SAQ and approved by a payment brand.