All merchants who process, transmit, or store credit card data must comply with PCI standards. If your Paid Memberships Pro-powered site charges for membership, you have a responsibility to meet the standards of PCI Compliance as outlined by the Payment Card Industry Data Security Standards (PCI DSS).

This post describes general PCI Compliance goals, requirements by gateway and credit card type, as well as links to more information for each gateway.

PCI Compliance for Membership Sites

Table of contents

Overview of the Goals and Requirements

The PCI DSS is constantly updating and enhancing the goals and requirements of PCI Compliance. The table below gives a high level overview:

GoalsPCI DSS Requirements
Build and Maintain a Secure Network1: Install and maintain a firewall configuration to protect cardholder data

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data3: Protect stored cardholder data

4: Encrypt transmissions of cardholder data across open, public networks
Maintain a Vulnerability Management Program5: Use and regularly update anti-virus software

6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures7: Restrict access to cardholder data by business need-to-know

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks10: Track and monitor all access to network resources and cardholder data

11: Regularly test security systems and processes

Maintain an Information Security Policy12: Maintain a policy that addresses information security

Know Your Merchant Level

PCI Compliance requirements are based on your Merchant Level, which varies by payment card brand. Several factors influence your merchant level, including annual transaction volume, history of fraud or hack, ratio of card-present to card-not-present transactions, merchant level across other payment card brands, and discretion of the payment card brand.

An Overview of Merchant Levels by Card Brand

Visa

Merchant Level 1

Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year or that:

  • has suffered a hack or an attack that resulted in an account data compromise
  • is identified by any card association as Level 1

Merchant Level 2

Merchants that process between 1 and 6 million Visa or MasterCard transactions per year.

Merchant Level 3

Any merchant that processes between 20,000 and 1 million Visa or MasterCard e-commerce transactions per year.

Merchant Level 4

Merchants that process less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year.

Mastercard

Merchant Level 1

Any merchant that:

  • has suffered a hack or an attack that resulted in an account data compromise.
  • processes more than 6 million total combined MasterCard and Maestro transactions annually.
  • meets the Level 1 criteria of Visa.
  • or that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system.

Merchant Level 2

Any merchant with more than one million but less than or equal to 6 million total combined MasterCard and Maestro transactions annually or that meets the Level 2 criteria of Visa.

Merchant Level 3

Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually.

Any merchant meeting the Level 3 criteria of Visa.

Merchant Level 4

All other merchants.

Discover

Merchant Level 1

All merchants processing more than 6 million card transactions annually on the Discover network or any merchant that Discover, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements. If you are required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant, Discover will also require you to comply at level 1.

Merchant Level 2

Merchants processing between 1 million and 6 million card transactions annually on the Discover network.

Merchant Level 3

Merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network.

Merchant Level 4

All other merchants.

American Express

Merchant Level 1

2.5 million American Express Card Transactions or more per year; or any Merchant that American Express otherwise deems a Level 1.

Merchant Level 2

50,000 to 2.5 million American Express Card Transactions per year.

Merchant Level 3 (designated)

Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents.

Designated Merchants are notified in writing by American Express at least 90 days before document submission is required.

Merchant Level 3 (non-designated)

Less than 50,000 American Express Card Transactions per year and has not been designated by American Express as being required to submit validation documentation.

Merchant Level EMV

Have not been involved in a Data Incident within the previous 12 months and also:

  • Process 50,000 American Express Card Transactions or more per year
  • At least 75% of all Transactions made by the Cardmember with the physical Card present
  • Those transactions performed originate from EMV Chip-Enabled Devices capable of processing contact and contactless transactions.

Last updated on October 10, 2015

Where to Start: The SAQ

Level 4 Merchants can begin their PCI Compliance journey by completing a PCI Self-Assessment Questionairre (SAQ). The PCI DSS also has a very informational website for Small to Mid-Sized Merchants. Here you can learn about your responsibilities as a small merchant and receive news and updates about small merchant requirements from the PCI DSS.

The PCI SSC provides a variety of informational tools, resources, and worksheets on their website that will help guide you through the Self-Assessment Questionairre or a higher level of PCI Compliance requirement. You can to download these tools in the PCI SSC Documents Library.

Their gateway or the payment card brands they offer will most likely contact Level 1-3 merchants to complete higher tier requirements for compliance. This may include a quarterly independent scan by a merchant-qualified vendor such as Trustwave. Level 1 Merchants may require an annual on-site security audit.

Why We Love Stripe

If you a using Stripe and serve your checkout page over SSL, you (as the merchant) have done everything necessary to comply with the Payment Card Industry Data Security Standards.

Our Stripe integration uses the Stripe.js method to collect credit card (and other similarly sensitive) details without having the information touch your server.

Your database saves only the payment method’s last 4 digits and expiration date from the customer’s information. Stripe never posts the rest to your WordPress site’s server.

Other Gateways and PCI Compliance

Sites using our PayPal Gateway Add On process payment offsite, so there is less need to explore PCI Compliance if this is your primary gateway.

Read More About PCI Compliance and Your Gateway

Read More About PCI Compliance and Payment Card Brands

Kim Coleman

Author: Kim Coleman

Kim Coleman is the co-founder of Paid Memberships Pro, the most trusted membership platform, which powers over 90,000 membership sites worldwide. With over two decades of experience in development, management, and marketing, Kim plays a pivotal role in shaping the product and guiding the team.

She specializes in content creation, video tutorials, and frontend development for the core open-source plugin and its various Add Ons, helping businesses of all sizes build and grow their membership sites.

View more articles by Kim Coleman »



Was this article helpful?
YesNo
Posted in FAQ. Bookmark the permalink. Last updated: .