Wednesday, January 7, 2009

PCI Compliance Required?

When I log into my merchant account, I see this message:

We're getting many questions about the requirements for PCI certification.
The requirement for merchants processing less than 20,000 transactions per year is just a PCI Self-Assessment Questionnaire as long as you don't store any credit card numbers.

I don't store credit cards, I did it all thru others but I do over 10K transactions per month which is a great deal more than 20K transactions per year. Do I need to fill out the PCI Self-Assessment Questionnaire? Do I need to do more?

To figure this out I should probably contact my vendor. Here's the truth about my vendor, I almost never talk to the bank. Sometimes, I forget who it is. My entirely relationship is with ------- who I guess is an ISO for them. They're a pretty small company for me to be running over 120K transactions (mostly small in the $20 - $60 range) through.

This is where I admit that I've never created or discovered a truly great glossary to help me understand the roles of the merchant bank, the gateway, the network, third party processors, ISOs, and so on.

Returning to the question of PCI compliance, I'll call my processor. I didn't make it to the PCI compliance webinar that I said that I would. I did, through consulting, discover two blogs about PCI compliance. I'll read them next:
PCI Answers
Payment Card Security & IT Controls Explained

No comments: