PCI Compliance is required for all merchants involved with the processing, transmission, or storage of credit card data. If your Paid Memberships Pro-powered site charges for membership, you have a responsibility to meet the standards of PCI Compliance as outlined by the Payment Card Industry Data Security Standards (PCI DSS).

This post describes general PCI Compliance goals, requirements by gateway and credit card type, as well as links to more information for each gateway.

Banner for General About Paid Memberships Pro Guide

Overview of the Goals and Requirements

The PCI DSS is constantly updating and enhancing the goals and requirements of PCI Compliance. The table below gives a high level overview:

GoalsPCI DSS Requirements
Build and Maintain a Secure Network1: Install and maintain a firewall configuration to protect cardholder data

 

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data3: Protect stored cardholder data

 

4: Encrypt transmissions of cardholder data across open, public networks

Maintain a Vulnerability Management Program5: Use and regularly update anti-virus software

 

6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures7: Restrict access to cardholder data by business need-to-know

 

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks10: Track and monitor all access to network resources and cardholder data

 

11: Regularly test security systems and processes

Maintain an Information Security Policy12: Maintain a policy that addresses information security

Know Your Merchant Level

PCI Compliance requirements are based on your Merchant Level, which varies by payment card brand. Several factors influence your merchant level, including annual transaction volume, history of fraud or hack, ratio of card-present to card-not-present transactions, merchant level across other payment card brands, and discretion of the payment card brand.

An Overview of Merchant Levels by Card Brand

Visa
Merchant Level 1
  • Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant identified by any card association as Level 1
Merchant Level 2 1 million – 6 million Visa or MasterCard transactions per year
Merchant Level 3 20,000 – 1 million Visa or MasterCard e-commerce transactions per year
Merchant Level 4 Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year

Mastercard
Merchant Level 1
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant having more than six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
Merchant Level 2
  • Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa
Merchant Level 3
  • Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa
Merchant Level 4 All other merchants

Discover
Merchant Level 1
  • All merchants processing more than 6 million card transactions annually on the Discover network.
  • Any merchant that Discover, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements
  • All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant
Merchant Level 2 All merchants processing between 1 million and 6 million card transactions annually on the Discover network
Merchant Level 3 All merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network
Merchant Level 4 All other merchants

American Express
Merchant Level 1 2.5 million American Express Card Transactions or more per year; or any Merchant or that American Express otherwise deems a Level 1.
Merchant Level 2 50,000 to 2.5 million American Express Card Transactions per year
Merchant Level 3 (designated) Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. Designated Merchants are notified in writing by American Express at least 90 days before document submission is required.
Merchant Level 3 (non-designated) Less than 50,000 American Express Card Transactions per year and has not been designated by American Express as being required to submit validation documentation.
Merchant Level EMV Have not been involved in a Data Incident within the previous 12 months and also:
  • Process 50,000 American Express Card Transactions or more per year
  • At least 75% of all Transactions made by the Cardmember with the physical Card present
  • Those transactions performed originate from EMV Chip-Enabled Devices capable of processing contact and contactless transactions.

Last updated on October 10, 2015

Where to Start: The SAQ

Level 4 Merchants can begin their PCI Compliance journey by completing a PCI Self-Assessment Questionairre (SAQ). The PCI DSS also has a very informational website for Small to Mid-Sized Merchants. Here you can learn about your responsibilities as a small merchant and receive news and updates about small merchant requirements from the PCI DSS.

The PCI SSC provides a variety of informational tools, resources, and worksheets on their website that will help guide you through the Self-Assessment Questionairre or a higher level of PCI Compliance requirement. You can to download these tools in the PCI SSC Documents Library.

Merchants in Levels 1-3 will most likely be contacted by their gateway or the payment card brands they offer to complete higher tier requirements for compliance. This may include a quarterly independent scan by a merchant-qualified vendor such as Trustwave. Level 1 Merchants may require an annual on-site security audit.

Why We Love Stripe and Braintree

If you a using Stripe or Braintree and serve your checkout page over SSL, you (as the merchant) have done everything necessary to comply with the Payment Card Industry Data Security Standards.

Our Stripe integration uses the Stripe.js method to collect credit card (and other similarly sensitive) details without having the information touch your server.

Braintree’s transparent redirect, client-side encryption and vault brings you 90% or more of the way towards compliance. This method eliminates the vast majority of PCI compliance burden you would otherwise face.

The customer information that is saved in your database includes the payment method’s last 4 digits and expiration date. With Stripe, as well as Braintree, the rest is never posted to your WordPress site’s server.

Other Gateways and PCI Compliance

With Authorize.net or PayPal Payflow, the customer’s credit card information is posted to the web server and then sent to the API. In this case, you have more responsibility for PCI Compliance.

PayPal Express and PayPal Standard all process payment offsite, so there is less need to explore PCI Compliance if your primary gateway is in this list.

Read More About PCI Compliance and Your Gateway

Read More About PCI Compliance and Payment Card Brands

Was this article helpful?
YesNo
Posted in . Bookmark the . Last updated: .