Donald E. Hester
- Oct 12, 2016
- 2 min read

Security Standards for Processing Credit Cards

All organizations that process payment cards (Visa, MasterCard, AMEX, etc...) have to comply with the Payment Card Industry Data Security Standard (PCI DSS). All organizations will eventually have to provide evidence of compliance by self-assessment questionnaires, network vulnerability scans, and/or audits to their acquiring bank. Any organization that processes, stores or transmits credit card information must comply with the Data Security Standard. This includes organizations that only use paper-based processing, organizations that outsource the credit card processing, and organizations that process credit cards in-house. Since December 31, 2007, the payment card brands increased fees for Visa/Master Card transactions for those level 1 and 2 processors (more than 1 million annual transactions) that have not filed proof of PCI compliance. Most municipalities will be at level 3 and 4 processors (less than 1 million annual transactions), however, this requirement is scheduled to trickle down through the processing banks to each card processor regardless of the quantity of transactions processed. For evidence of compliance, each merchant will have to fill out a self-assessment questionnaire (SAQ) and perform a network vulnerability scan by a PCI approved scanning vendor. In February 2008, the PCI Council announced different levels of SAQ, depending upon the risk of the processing environment. Merchants who outsource processing have 11 questions to attest to, while merchants who process transactions in-house, on custom applications have to attest all 226 questions. No matter what SAQ validation level organizations meet, they must comply with all of the PCI DSS. The questions on the SAQ reflect only the controls with the highest risk based upon the merchant’s processing environment. In the event of a single breach due to non-compliance, the card processor will be liable for the full cost of investigation, mitigation, reimbursement, penalties, and an annual PCI audit to continue to accept credit cards. The cost of a single breach could be more than $500,000, and the annual cost of a PCI audit could be as much as $50,000.