What is PCI?

What is PCI?

What is the PCI Security Standards Council?

The Payment Card Industry Security Standards Council (PCI SSC) is an independent association composed of representatives from each of the five card companies who founded it, American Express, Discover Financial Services, JCB International, MasterCard, and Visa. The Council also includes additional Strategic Members. The PCI SSC administrate the PCI Data Security Standard (PCI DSS).

Each of the five founding member credit card companies agrees to uphold the PCI Security Standards and recognize Approved Scanning Vendors and Qualified Security Assessors approved by the PCI Security Standards Council.

Read More: Choosing a Restaurant Business Structure

What is PCI DSS and why is compliance important?

The purpose of PCI DSS is to limit credit card fraud. The standards were developed from real-world investigations into the causes of fraudulent transactions and data and identity theft. Without exception, all merchants who accept credit cards are required by the card companies to be PCI compliant.

If you are found to be out of compliance and responsible for a data breach through negligence, you are open to thousands of dollars in fines, fees, penalties and charges related to the cost of the investigation. You will be required to conform to Merchant Level 1 compliance stringency requirements or could lose the privilege of taking credit card payment for your business altogether!

An example fine for PCI noncompliance might be $50,000.00 for the first month for a Level 1 Merchant, on up to $100,000.00 a month for continued noncompliance! Fines include investigatory costs and penalties that a credit card issuer may charge for PCI noncompliance that leads to fraud.

What are the six goals and twelve requirements of PCI DSS?

The PCI Data Security Standard clearly states how merchants are expected to protect cardholder data in the 12 requirements and 6 goals of PCI DSS. PCI compliance is based on the following, but keep in mind that the official PCI documentation contains subsections for each of the 12 requirements, with specific conditions to meet.

Goals PCI DSS Requirements

Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  1. Use and regularly update anti-virus software on all systems commonly affected by malware
  2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes

Maintain a policy that addresses information security

  1. Maintain a policy that addresses information security

Merchant Levels, reporting, and PCI DSS assessment requirements

The credit card companies have defined Merchant Levels based on certain criteria. While every merchant who accepts credit card payments must be PCI compliant, your Merchant Level with the credit card companies determines how stringently your compliance is verified. This includes the type of security assessments and reports you’re required to file for annually to verify your PCI compliance.

This article is meant to be a guide and standards are always changing. Each credit card company sets its own merchant level criteria and requirements. Confirm with your acquiring bank what your Merchant Level and reporting requirements for each card is.

The following is a general guide to Merchant Levels and PCI requirements at each level:

Level 1

  • Any merchant who has experienced a hack or attack that that resulted in an account data compromise.
  • Any merchant with more than six million payment processing transactions per-year.
  • Any merchant classed as Level 1 at the sole discretion of the card company based on their assessed risk.


  • Annual onsite security audit with a 3rd party Qualified Security Assessor (QSA) who submits a Report On Compliance (ROC)
  • Quarterly network scan conducted by Approved Scanning Vendor (ASV) •Submit Attestation Of Compliance (AOC) form


Level 2

  • Any merchant with one million to six million payment processing transactions per-year.


  • Annual onsite security audit with QSA or an Internal Security Assessor (ISA), who submits ROC
  • Quarterly network scan conducted by ASV
  • Submit AOC


Level 3

  • Any merchant with 20,000 to one million payment processing transactions per-year.


  • Annual submission of appropriate Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan conducted by ASV
  • Submit AOC


Level 4

  • Any other merchant processing payment transactions.


  • Annual submission of appropriate Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan conducted by ASV
  • Submit AOC
  • Ultimately requirements at this level are left up to your acquiring bank

Read More: Choosing a Restaurant Business Structure

Quarterly Network Scan

PCI requires merchants at every level to run internal and external network vulnerability scans at least quarterly, and after any significant change in the network. If you do not pass the network scan, changes to your system will have to be made to ensure network compliance with the PCI DSS. These internal and external network scans and the accompanying records showing a “pass” must be completed 4 times throughout the year.

Network scans must be performed by an Authorized Scanning Vendor (ASV). Vendors are listed on the PCI website, but this is not a guarantee of current authorization. You must continue to check the site to make sure your scanning vendor remains in good standing with PCI.

QSA and ISA Evaluations

A QSA is a third party Qualified Security assessor, tasked with both approving systems that comply with PCI and recommending changes to systems that don’t. A QSA is a highly trained cybersecurity specialist who has received specific instructions from the PCI Security Standards Council on how to interpret and implement the sometimes vague or confusing aspects of PCI DSS compliance.

Level 1 Merchants must have a 3rd party QSA evaluation every year because of the amount of risk associated with their account. Other merchant levels have the choice of using an Internal Security Assessor (ISA) to evaluate their PCI compliance.

Like a QSA, an ISA is a data security expert certified by the PCI Security Standards Council, however as an internal security evaluator their role is has more to do with planning and implementation of PCI DSS at a granular level. As an on-site expert on PCI Data Security Standards, they are able to make sure organizations avoid security weaknesses and that new systems are designed to be compliant with PCI security standards.

PCI AOC and ROC Reports

Every year, an AOC or “Assertion Of Compliance” must be completed. This is signed by an executive of the company who holds a merchant account. The AOC is an affirmation that your organization is in compliance with the PCI DSS and has passed network scans and has fulfilled all 12 requirements of the PCI standard.

An ROC is a 3rd party evaluation report submitted by a QSA. This is required at Merchant Levels 1-2. An AOC is still required, as well as the quarterly network scans and the correct Self Assessment Questionnaire.

SAQ Reporting

Most merchants are not required to have an annual on-site, third party audit performed by a QSA. But you are required to evaluate your PCI DSS compliance and use the appropriate SAQ with your AOC.

There are 8 SAQ types, each for a particular merchant environment. Picking the correct SAQ to submit is critical. The official PCI documentation has extensive information about each SAQ. Depending on what you do with customer data and weather your are performing “card present” or “card not present” transactions, the scope of your SAQ can be extensive or narrow. The most narrow SAQ scope, and therefore easiest to comply with is SAQ P2PE-HW.

You can consult the PCI DSS documentation on SAQs, seek answers from your payment processor, or the help of a professional QSA, to assist you in choosing the correct SAQ to use.

Following the 12 recommendations of the PCI DSS, completing the correct Security Assessment Questionnaire requirements for your Merchant Level and submitting the correct SAQ form to your acquiring bank, is the answer to the question, “What is PCI compliance?”

Rezku is a trademark of Guest Innovations, Inc. “Making Restaurants More” is a service mark of Guest Innovations, Inc. iPad, iPhone, and iPod Touch are the trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple, Inc. Android is a registered trademark of Google. Windows is a registered trademark of Microsoft. Other logos & trade names are the property of their respective owners. Use of Rezku POS and this website are subject to Terms of Use and Privacy Policy.