Skip to main content

PCI Compliance

May 7, 2024

Description

Learn about PCI compliance, why it is important, and who it applies to

What's in this article?

The Payment Card Industry Data Security Standard (PCI DSS or PCI), is a minimum set of security requirements designed so that all companies who accept card payments protect cardholder data. The PCI Security Standards Council (formed by the card brands) sets the standards that are then enforced by the card brands, banks, acquirers, etc. By adhering to the security standards, businesses can protect themselves against security breaches, safeguard customer data, and protect the integrity of electronic payments.

Why is PCI important?

Protects customer data

Your customers trust you with their card data as they make purchases from your business. If you break that trust and fail to protect their data, you expose your customers to financial pain. With all states having data breach reporting requirements, your breach will quickly become news and can harm your reputation and put future business at risk.

Avoids fines and lawsuits

In the event of a data breach, you may incur card brand fines, government fines, customer lawsuits, third-party lawsuits and more. By maintaining PCI DSS compliance, you are much less likely to experience a data breach. If your data is breached while maintaining PCI DSS compliance, you may reduce these fines and reduce the liability your company may incur.

Secures business data

It's important to protect the data of your business and your employees. Between malware and virus threats, remote-access attacks, and social engineering, it's important to take the proper precautions to keep your computers, networks, and servers secure. While the purpose of the PCI DSS is to protect card data from hackers and thieves, by following this minimum standard across your organization, you can keep all of your data secure, avoiding costly data breaches and protecting your employees and your customers.

Who does PCI apply to?

Every merchant who accepts credit or debit cards as a method of payment is required to comply with the PCI DSS. Compliance depends on your merchant level. Merchant Levels are defined by the card brands and are based on your transaction volume (not the transaction amounts, just the number of card transactions). 

Transaction Volume determines PCI Merchant level

Table of transaction volume and merchant levels
Transaction VolumeMerchant Level
More than 6 million card transactions per year - all channels1
Between 1 and 6 million card transactions per year - all channels2
Between 20,000 and 1 million e-commerce ONLY card transactions per year3
Less than 20,000 e-commerce card transactions and less than 1 million overall transactions per year4

Level 1 and 2 merchants

Bank of America's Merchant PCI L1 and L2 program assigns a PCI Analyst. The PCI Analyst is responsible for receiving the annual PCI Validation documentation, they will then review the submitted documentation for proper validation of PCI Compliance status. 

Additionally, the PCI Analyst acts as a resource for the merchant throughout the year in regards to PCI clarifications and questions, updates, newly announced PCI DSS version changes, etc. This resource is provided at no additional cost. They also will communicate with merchants prior to their annual due dates and will coordinate routine communications to stay apprised of status.

Level 3 and 4 merchants

Bank of America simplifies the process of self-assessment by providing you with all of the tools you need to achieve, maintain and validate your PCI compliance.

Log in to PCI Assist to complete compliance. After entering some simple information about your environment, you are presented with a series of questions that will do these things:

  • Direct you to the proper Self-Assessment Questionnaire (SAQ).
  • Limit the number of questions you need to answer. Example: If you indicate that you do not have WiFi, we will pre-answer all of the WiFi related questions for you.
  • Present the questions using non-technical language where possible and provide clear help text with examples and suggestions
  • Allow you to stop at any point and return without losing any of your answers
  • Provide you with help in the form of chat, email or call center support during normal business hours where agents can explain the requirements and help you navigate the portal
  • Provide you with tools like vulnerability scanning (if required) and downloadable Security Policy templates, etc.

You will not be required to print SAQs or Network Scan Results and send those to the bank, as the portal records your compliance status for you.


Did you find this article helpful?