PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically; it also covers manual processing and storage.
Whether you conduct a few payment processes or millions of transactions every year, you will belong to one of four merchant levels:
(this is in a table on the current site)
Level One
- Any merchant processing over 6 million Visa or MasterCard transactions per year.
- Or who has suffered an attack that resulted in an account data compromise.
- Or who have been identified as Level 1 Independent Qualified Security Assessor or Internal Audit signed by Company Officer.
Level Two
- Any merchant processing one to six million Visa or MasterCard transactions per year.
Level Three
- Any merchant processing 20,000 to one million Visa or MasterCard e-commerce transactions per year.
Level Four
- Any merchant processing fewer than 20,000 Visa or MasterCard transactions per year.
- Or all other merchants processing up to one million Visa or MasterCard transactions a year.
What Are the Requirements?
- You must not use card and verification details for any purpose other than completing the card transaction.
- You must not pass card details onto anyone else, except for the purpose of helping them to complete the card transaction, i.e. authorisation and/or settlement.
- You must not store the card security code (last three digits on signature strip), or Track 2 data.
- You are only permitted to keep a separate record of the card number and expiry date if both of these conditions apply:
- You have the specific agreement of the card holder,
- and you are only going to use this information to help with future transactions, such as recurring payments or new orders if further orders are likely.
- In short, you shouldn’t store card data if you don’t need to.
