PCI Compliance is required for all merchants involved with the processing, transmission, or storage of credit card data. If your Paid Memberships Pro-powered site charges for membership, you have a responsibility to meet the standards of PCI Compliance as outlined by the Payment Card Industry Data Security Standards (PCI DSS).

This post describes general PCI Compliance goals, requirements by gateway and credit card type, as well as links to more information for each gateway.


An Overview of the Goals and Requirements

The PCI DSS is constantly updating and enhancing the goals and requirements of PCI Compliance. The table below gives a high level overview:

Goals PCI DSS Requirements
Build and Maintain a Secure Network 1: Install and maintain a firewall configuration to protect cardholder data

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3: Protect stored cardholder data

4: Encrypt transmissions of cardholder data across open, public networks

Maintain a Vulnerability Management Program 5: Use and regularly update anti-virus software

6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures 7: Restrict access to cardholder data by business need-to-know

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks 10: Track and monitor all access to network resources and cardholder data

11: Regularly test security systems and processes

Maintain an Information Security Policy 12: Maintain a policy that addresses information security

Know Your Merchant Level

PCI Compliance requirements are based on your Merchant Level, which varies by payment card brand. Several factors influence your merchant level, including annual transaction volume, history of fraud or hack, ratio of card-present to card-not-present transactions, merchant level across other payment card brands, and discretion of the payment card brand.

An Overview of Merchant Levels by Card Brand

Visa
Merchant Level 1
  • Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant identified by any card association as Level 1
Merchant Level 2 1 million – 6 million Visa or MasterCard transactions per year
Merchant Level 3 20,000 – 1 million Visa or MasterCard e-commerce transactions per year
Merchant Level 4 Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year

Mastercard
Merchant Level 1
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant having more than six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
Merchant Level 2
  • Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa
Merchant Level 3
  • Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa
Merchant Level 4 All other merchants

Discover
Merchant Level 1
  • All merchants processing more than 6 million card transactions annually on the Discover network.
  • Any merchant that Discover, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements
  • All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant
Merchant Level 2 All merchants processing between 1 million and 6 million card transactions annually on the Discover network
Merchant Level 3 All merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network
Merchant Level 4 All other merchants

American Express
Merchant Level 1 2.5 million American Express Card Transactions or more per year; or any Merchant or that American Express otherwise deems a Level 1.
Merchant Level 2 50,000 to 2.5 million American Express Card Transactions per year
Merchant Level 3 (designated) Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. Designated Merchants are notified in writing by American Express at least 90 days before document submission is required.
Merchant Level 3 (non-designated) Less than 50,000 American Express Card Transactions per year and has not been designated by American Express as being required to submit validation documentation.
Merchant Level EMV Have not been involved in a Data Incident within the previous 12 months and also:
  • Process 50,000 American Express Card Transactions or more per year
  • At least 75% of all Transactions made by the Cardmember with the physical Card present
  • Those transactions performed originate from EMV Chip-Enabled Devices capable of processing contact and contactless transactions.

Last updated on October 10, 2015


Where to Start: The SAQ

Level 4 Merchants can begin their PCI Compliance journey by completing a PCI Self-Assessment Questionairre (SAQ). The PCI DSS also has a very informational website for Small to Mid-Sized Merchants. Here you can learn about your responsibilities as a small merchant and receive news and updates about small merchant requirements from the PCI DSS.

The PCI SSC provides a variety of informational tools, resources, and worksheets on their website that will help guide you through the Self-Assessment Questionairre or a higher level of PCI Compliance requirement. Click here to download these tools in the PCI SSC Documents Library.

Merchants in Levels 1-3 will most likely be contacted by their gateway or the payment card brands they offer to complete higher tier requirements for compliance. This may include a quarterly independent scan by a merchant-qualified vendor such as Trustwave. Level 1 Merchants may require an annual on-site security audit.


Why we love Stripe and Braintree.

If you a using Stripe or Braintree and serve your checkout page over SSL, you (as the merchant) have done everything necessary to comply with the Payment Card Industry Data Security Standards.

Our Stripe integration uses the Stripe.js method to collect credit card (and other similarly sensitive) details without having the information touch your server.

Braintree’s transparent redirect, client-side encryption and vault brings you 90% or more of the way towards compliance. This method eliminates the vast majority of PCI compliance burden you would otherwise face.

The customer information that is saved in your database includes the payment method’s last 4 digits and expiration date. With Stripe, as well as Braintree, the rest is never posted to your WordPress site’s server.


What about your other gateways?

With Authorize.net, Payflow, Website Payments Pro, or Cybersource, the customer’s credit card information is posted to the web server and then sent to the API. In this case, you have more responsibility for PCI Compliance.

PayPal Express, PayPal Standard and 2Checkout all process payment offsite, so there is less need to explore PCI Compliance if your primary gateway is in this list.


Read more about PCI Compliance and your Gateway


Read more about PCI Compliance and your Payment Card Brands


Author’s gravatar

I didn’t know this… thanks so much for this info! It’s also good to know that I’m covered with Stripe — no regrets on choosing them.

Reply
Author’s gravatar

PCI is BS. Try reporting a website or business that is not PCI compliant. You can’t – nobody knows where or how to do that. Not even the credit card companies can tell you how to report non PCI compliance. They all say, “Talk to your bank.” You know what the banks say? “Talk to the credit card people.” Smoke and mirrors.

Reply
Author’s gravatar

In my experience, merchant account providers like Cybersource (owned by Visa) will require companies to pass PCI compliance. If the merchant doesn’t pass, they might have to pay an extra fee or could have their accounts disabled.

I am not aware of a way for consumers to report companies that aren’t compliant. The idea is to protect customer data, so I could see the use for that. At the same time, the merchant account providers and gateways should be enforcing things.

Reply
Author’s gravatar

That is exactly why, two and a half years ago, I selected PMPro using Stripe.

Thanks for a super Plugin that really helped me grow my online business http:imarketsignals.com beyond expectations.

Reply
Author’s gravatar

Hi,
Where you stated:
“With Authorize.net, Payflow, Website Payments Pro, or Cybersource, the customer’s credit card information is posted to the web server and then sent to the API. In this case, you have a bit more responsibility for PCI Compliance.”

“… a bit more…”
is a huge understatement. You’ll go from around 80 questions on your SAQ to over 300, plus additional security testing.

Bottom line: letting card data touch your server is a huge burden for PCI compliance, especially with the recent changes this year. Just don’t do it.

Reply
Author’s gravatar

Thanks for this, we are currently using Stripe on a DotNetNuke site and want to migrate those users to Stripe account using PMP. Do you have any experience or guidance on the process of migrating these subscriptions to PMP Stripe?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *