An interview from the archives of Mountain Media, parent company of Web Payment Software.
Dani: “Hi everyone I’m Dani Stein and we’re here today with Taunia Kipp from Mountain Media who is a Level 2 PCI-Compliant service provider. Now if you don’t know what PCI Compliance is, don’t worry neither do I yet, that’s why Taunia is here. She’s going to be clearing up a little bit about PCI compliance for us. So, Taunia obviously a lot of confusion surrounding what PCI compliance is. Can you explain it for us?”
Taunia: “Well, PCI stands for the Payment Card Industry. So, when we talk about PCI compliance we’re talking about the Payment Card Industry’s data security standards, also known as the PCI DSS. And I’ll apologize in advance: there are a lot of acronyms in this space, so I’ll try to explain them as best as I can. The PCI DSS or the data security standards are a set of requirements that were designed in order to ensure that organizations who handle – organizations or merchants – who handle credit card data, maintain a secure environment. And of course, that’s to protect consumers from credit card fraud, hacks and breaches.”
Dani: “So we know who it benefits: the consumers. Now to whom does PCI compliance apply?”
Taunia: “Okay well, PCI compliance applies to any merchant or organization who accept, transmit or store credit card data. So, it doesn’t matter the volume of transactions that they perform on a regular basis nor which method they utilize for accepting a credit card whether it’s in a physical store location or online for example or telephone. PCI applies to all.”
Dani: “Now Mountain Media is an ecommerce provider for online merchants. So now if I’m an online merchant and I have my SSL certificate for my website does that necessarily mean that I am PCI compliant?”
Taunia: “It does not, and there’s a lot of confusion there. While an online merchant of course wants to have an SSL certificate for their website which is a secure socket layer, does not, that is not going to prevent your web servers from malicious attacks. And there are a whole lot of other requirements that go in to becoming PCI compliant versus just having an SSL on your website.”
Dani: “So I am this online merchant. I have a third-party service provider like Mountain Media, who is PCI-compliant, why then do I have to be PCI-compliant?”
Taunia: “Well, merely using a third-party provider who is, or a third-party company of any type that is compliant does not exclude the merchant from being PCI compliant as well. Mountain Media, you know, working with a company like us who is a Level 2 service provider is obviously going to reduce your risk and exposure and also ultimately make it much easier to validate your compliance as a merchant working with a company like ours. There are requirements that you as a merchant have to abide by as well to become, to be PCI-compliant.”
Dani: “So there are actually different standards with PCI compliance. Who enforces these standards?”
Taunia: “Okay, well the Payment Card Industry data security standards are maintained and administered by the Payment Card Industry’s Security Standards Council. Or the PCI, let’s see, SSC – there’s another acronym for you – the Security Standards Council was created by the five major credit card brands which are Visa, Mastercard, American Express, JCB and Discover. That independent organization has a website where you can get a lot of this information and they can help you through the process. And that is the pcisecuritystandards.org.”
Dani: “Now there are different levels of PCI compliance along with those standards. Explain a little bit about those levels and who they apply to.”
Taunia: “Okay, well all merchants are going to fall in to one of four different levels and they have to do with the aggregate number of visa transactions that you transmit or accept annually. A Level 1 merchant for example is a merchant who is processing more than six million visa transactions annually. Obviously, these are some very large organizations. In Level 1 that’s regardless of the acceptance channel. So, in other words that can be online on their website, a face-to-face credit card transaction such as a brick-and-mortar store, over the phone, by mail, et-cetera. Level 2 similarly to Level 1 applies to no matter what the acceptance channel and that is for one million to six million credit card transactions annually. And then we get in to Level 3 and Level 4 merchants which are primarily the size of merchant that a company like Mountain Media would deal with, and has to do with e-commerce. A Level 3 merchant processes between twenty thousand and one million visa transactions annually and those can be of the e-commerce nature. And a Level 4, which is probably the most popular in the US as this is your small to mid-size merchant, processes fewer than twenty thousand credit card transactions annually. When it comes to those levels – 1 through 4 – it’s important to mention that the validation of compliance process is different. So, Level 1 and a Level 2 merchant are required to have an onsite audit and there needs to be submission of a Report of Compliance which is also known as a ROC – an R, O, C. So, they have to submit a ROC and actually have an independent auditor come out and audit their site. Similarly, to what a company like Mountain Media has to have as a service level provider who is trying to become compliant. And then Level 3 and Level 4 merchants are able to complete what’s called an SAQ or a Self-Assessment Questionnaire. A Self-Assessment Questionnaire means that you are performing your compliance in-house and that you are also attesting to the fact that you are within compliance in house. And that’s called the SAQ, or Self-Assessment Questionnaire and hopefully we can talk about that a little more in-depth in the future.”
Dani: “Okay, so Taunia Kipp of Mountain Media here today explaining a little bit more about PCI Compliance. Taunia, it sounds like there’s still a lot left to explain about the different levels of compliance so we’d be happy to have you back for another video segment very soon.”