I imagine this is (or should be :-) a very common question.

I am a small Internet-only merchant and have been accepting credit cards online for almost ten years. I am currently using a third-party payment gateway (Authorize.Net) to process transactions. I have my own shopping cart software (both custom written and third-party open-source tools) and collect customer payment information including cc# on my own SSL-protected pages. I pass the information to the payment gateway in the background for authorization & capture. Currently, I never store the cc#, ccv, or expiration date, though I do store name and address information.

What am I required to do regarding PCI DSS compliance, if anything? What penalties do I face if I do not meet the requirements?

Suppose I change my system so I store cc# information in encrypted form (let's assume for this discussion that the crypto security, key management, etc., is sound). Now what am I required to do, and what penalties can I face? Does the answer depend at all on the size of my organization (# of employees or customers, $ value of transactions, total sales, whatever)?

Thanks,

Barry

I just found this page:

http://usa.visa.com/merchants/risk_management/cisp_merchants.html

If I understand it, I am a "Level 4" VISA merchant (unless I get hacked or VISA decides to declare me Level 1 by fiat). At level 4, I may be required to fill out an Annual PCI Self-Assessment Questionnaire and receive a quarterly network scan. However, it is up to my acquirer (which I believe is my "acquiring bank" a.k.a. the bank with whom I have my merchant account) to decide if I need to and, if so, to set the deadlines for it.

I have yet to find information about penalties for Level 4 merchants.

Barry,
Any merchant stoing, processing or transmitting credit card details is required to be PCI compliant. Though you may not be storing credit card details currently, it seems you are processing and transmitting them via your website and associated application software. You would need to ensure this processing is compliant with PCI standards. You can find the standards and other useful information at https://www.pcisecuritystandards.org/index.htm

Your acquiring Bank (the one with whom you have your merchant account) should be able to tell you what level merchant you are. The requirements may differ slightly in different geographical regions, but if you are processing more than 20,000 e-commerce transactions per annum, you would be required to perform a self assessment (using the self assessment questionnaire) and undergo a vulnerability scan. For smaller merchants these are recommended but not mandated.

Visa has an arrangement with Scanalert to provide free vulnerability scanning to it's merchants for up to 50 IP addresses. You can sign up for a free vulnerability scan at http://www.scanalert.com/. Select the Visa icon on the right hand side of the page.

Regarding penalties... where merchants are non-compliant, the card card brands (Visa, Mastercard, etc.) can impose financial penalties on the acquiring bank. The bank may, in turn, impose these penalties on the merchant. I understand that the amount of any penalty is variable and would consider things like the PCI compliance status of the merchant, whether the merchant is taking steps to become compliant, whether card data has been compromised, the amount of financial loss etc.

If you change your processing to include the storage of credit card data, then the scope of systems to be compliant will increase and there will be additional controls that need to be in place to protect the stored information. For instance, you would need to use an industry recogised encryption algorithm. I'm not sure that this would result in a potential larger penalty in the event of a compromise, but it would make it more difficult for you to be compliant.

I hope this helps.

It should be noted that the ScanAlert arrangement is only for Visa Asia-Pacific and does not apply to merchants in the US or Europe.

It is correct that ALL people who store, process, or transmit credit card data must be compliant with the PCI requirements. All merchants must comply, but the validation requirements are different depending on card brand/association and region.

Thanks, I stand corrected. The Visa ScanAlert arrangement is only for merchants in Asia Pacific and Latin America and the Carribean.