PCI Compliance is required for all merchants involved with the processing, transmission, or storage of credit card data. If your Paid Memberships Pro-powered site charges for membership, you have a responsibility to meet the standards of PCI Compliance as outlined by the Payment Card Industry Data Security Standards (PCI DSS).
This post describes general PCI Compliance goals, requirements by gateway and credit card type, as well as links to more information for each gateway.
Overview of the Goals and Requirements
The PCI DSS is constantly updating and enhancing the goals and requirements of PCI Compliance. The table below gives a high level overview:
| Goals | PCI DSS Requirements |
|---|---|
| Build and Maintain a Secure Network | 1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | 3: Protect stored cardholder data
4: Encrypt transmissions of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | 5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | 7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes |
| Maintain an Information Security Policy | 12: Maintain a policy that addresses information security |
Know Your Merchant Level
PCI Compliance requirements are based on your Merchant Level, which varies by payment card brand. Several factors influence your merchant level, including annual transaction volume, history of fraud or hack, ratio of card-present to card-not-present transactions, merchant level across other payment card brands, and discretion of the payment card brand.
An Overview of Merchant Levels by Card Brand
| Visa | |
|---|---|
| Merchant Level 1 |
|
| Merchant Level 2 | 1 million – 6 million Visa or MasterCard transactions per year |
| Merchant Level 3 | 20,000 – 1 million Visa or MasterCard e-commerce transactions per year |
| Merchant Level 4 | Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year |
| Mastercard | |
|---|---|
| Merchant Level 1 |
|
| Merchant Level 2 |
|
| Merchant Level 3 |
|
| Merchant Level 4 | All other merchants |
| Discover | |
|---|---|
| Merchant Level 1 |
|
| Merchant Level 2 | All merchants processing between 1 million and 6 million card transactions annually on the Discover network |
| Merchant Level 3 | All merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network |
| Merchant Level 4 | All other merchants |
| American Express | |
|---|---|
| Merchant Level 1 | 2.5 million American Express Card Transactions or more per year; or any Merchant or that American Express otherwise deems a Level 1. |
| Merchant Level 2 | 50,000 to 2.5 million American Express Card Transactions per year |
| Merchant Level 3 (designated) | Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. Designated Merchants are notified in writing by American Express at least 90 days before document submission is required. |
| Merchant Level 3 (non-designated) | Less than 50,000 American Express Card Transactions per year and has not been designated by American Express as being required to submit validation documentation. |
| Merchant Level EMV | Have not been involved in a Data Incident within the previous 12 months and also:
|
Last updated on October 10, 2015
Where to Start: The SAQ
Level 4 Merchants can begin their PCI Compliance journey by completing a PCI Self-Assessment Questionairre (SAQ). The PCI DSS also has a very informational website for Small to Mid-Sized Merchants. Here you can learn about your responsibilities as a small merchant and receive news and updates about small merchant requirements from the PCI DSS.
The PCI SSC provides a variety of informational tools, resources, and worksheets on their website that will help guide you through the Self-Assessment Questionairre or a higher level of PCI Compliance requirement. You can to download these tools in the PCI SSC Documents Library.
Merchants in Levels 1-3 will most likely be contacted by their gateway or the payment card brands they offer to complete higher tier requirements for compliance. This may include a quarterly independent scan by a merchant-qualified vendor such as Trustwave. Level 1 Merchants may require an annual on-site security audit.
Why We Love Stripe and Braintree
If you a using Stripe or Braintree and serve your checkout page over SSL, you (as the merchant) have done everything necessary to comply with the Payment Card Industry Data Security Standards.
Our Stripe integration uses the Stripe.js method to collect credit card (and other similarly sensitive) details without having the information touch your server.
Braintree’s transparent redirect, client-side encryption and vault brings you 90% or more of the way towards compliance. This method eliminates the vast majority of PCI compliance burden you would otherwise face.
The customer information that is saved in your database includes the payment method’s last 4 digits and expiration date. With Stripe, as well as Braintree, the rest is never posted to your WordPress site’s server.
Other Gateways and PCI Compliance
With Authorize.net or PayPal Payflow, the customer’s credit card information is posted to the web server and then sent to the API. In this case, you have more responsibility for PCI Compliance.
PayPal Express and PayPal Standard all process payment offsite, so there is less need to explore PCI Compliance if your primary gateway is in this list.
Read More About PCI Compliance and Your Gateway
Read More About PCI Compliance and Payment Card Brands
