I am a new IT Director for a mid-sized company (I've been here less than a year). I have been asked to figure out what we need to do, if anything, about making sure we are compliant. This is the first time I've loooked at PCI DSS requirements and to say I'm a little confused is an understatement.

I've had people tell me "Don't worry about it, you are doing so little in terms of volume, it's not an issue." I've also had people say "You are a SAQ D merchant" and all that implies.

Background: We are a home improvement company. We do maybe 10 credit card transactions a month. Usually the card information is phoned in and we manually enter it though a POS software program on one of our office computers that our bank set us up with and they say it is PCI compliant. The credit card info is shredded and we are done with it.

However, sometimes the information comes in via fax or email. Sometimes it is on an attachment to the contract documents. Those documents are typically scanned into JPEG or PDF format and stored in electronic form on one of our servers.

Access to the network is controlled via Active Directory and security groups, so unless you have a user name and password, you can't get into our network much less the data/files. They have been functioning this way for several years, so we probably have credit card information on a couple hundred, maybe a thousand credit cards at most, in various formats on one of our servers. There is probably credit card info in email archives as well.

So a couple of questions.
1. Is there a lower limit to credit card processing where PCI does not apply?
2. Which category, if any, do we fall into?
3. Are the historical files subject to the same rules? Do we have to go back and figure out (find) all of the payments that were made by credit card? I don't think our accounting package could do that.

I am leaning towards just creating a policy that we will not collect credit card information via email and not scanning/storing the card information we collect. I think that would put us into SQA A, but I'm not sure.

Any help would be appreciated. Thanks is advance.

I've had people tell me "Don't worry about it, you are doing so little in terms of volume, it's not an issue."

Not true. Volume only matters from a standpoint of what merchant level you are. So, if you process even one credit card transaction, you are required to comply with the PCI DSS.

We are a home improvement company. We do maybe 10 credit card transactions a month. Usually the card information is phoned in and we manually enter it though a POS software program on one of our office computers that our bank set us up with and they say it is PCI compliant. The credit card info is shredded and we are done with it.

You are processing 120 credit card transactions per year, so you are a Level 4 merchant based on the card brand rules. However, you need to confirm this fact with your acquirer (the company that processes your credit card transactions).

However, sometimes the information comes in via fax or email. Sometimes it is on an attachment to the contract documents. Those documents are typically scanned into JPEG or PDF format and stored in electronic form on one of our servers.

This is an issue as the PDFs are definitely searchable. Granted, we have a limited number of accounts that could be breached, but a breach is a breach regardless of volume, so you need to address this situation. You need to ensure that the facsimiles and emails do not end up on backup tapes as that also puts your backups in scope and subject to all of the relevant PCI DSS requirements. You best procedure is to print this information out, file it in a secure manner and delete it as soon as possible from your facsimile or email system so that it does not end up being backed up.

1. Is there a lower limit to credit card processing where PCI does not apply?

No.

2. Which category, if any, do we fall into?

On the face of things, I'd say Level 4, but this needs to be confirmed with your acquirer.

3. Are the historical files subject to the same rules? Do we have to go back and figure out (find) all of the payments that were made by credit card? I don't think our accounting package could do that.

Yes, historical files are subject to the PCI DSS. Given your volume of transactions, your risk appears relatively low. However you should assess if that is truly the case. Depending on where you store your backups, you may find that your risk is higher, potentially higher than you or your management are willing to accept.

I am leaning towards just creating a policy that we will not collect credit card information via email and not scanning/storing the card information we collect. I think that would put us into SQA A, but I'm not sure.

IMHO, you are likely already an SAQ A, so doing what you suggest would not change that status. You can still accept the occasional transaction via facsimile or email, just do NOT make it a practice and print and delete the information ASAP when it does occur so it does not get backed up. And then securely store the paper information until you are able to properly destroy it.

Thanks for your repsonse. Just one quick follow up.

What is an acquirer? Is that the local bank we do business with or is that the company that is processing the credit card for us? I'm the IT guy and these terms take some getting used to.

Your "acquirer" is your payment card processor, that is, the party between you and the card brands. Based on your original post, I'd guess it's the bank that provides you your POS system and/or the bank or card processor you phone up for card authorizations. If in doubt, ask your finance person: "Who pays us for these card transactions?" They'll answer: "Oh, we send them to xxx (acquirer) and they send them to Visa/MasterCard and we get paid."

Thanks for that.

I asked our CFO who our acquirer was. Deer in the headlights look. Of course, since we do such a small volume of credit card transactions (both in number and % revenue to the company), he still may not know the answer.

I'm sure the AP/AR person has the correct answer. Now I have the correct question.