Sign In

Understanding PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a common set of industry standards that were created to better align the separate card brand security programs into one and educate businesses on the necessary steps to ensure the safe handling of sensitive information, including cardholder data.

Regardless of the size of your business, complying with the PCI DSS is essential for any merchant that accepts credit cards as a form of payment. The requirements for validating PCI compliance are dependent upon the merchant level that a company falls under.  Merchants are divided into four different merchant levels based on the number of transactions they process annually and the environment in which they operate.

Regardless of the size of your business, complying with the PCI DSS is essential for any merchant that accepts credit cards as a form of payment

What are the PCI Compliance Levels?

As mentioned, all merchants are divided into four different merchant levels based on the volume of transactions they process over the course of a year. These levels are defined as follows:

Merchant Level



Includes (1) Any merchant who processes over 6 million transactions annually. (2) Those who are identified as Level 1 by card associations. (3) Any merchant that has had a data breach that resulted in account compromise.


Any merchant who processes between 1-6 million transactions annually.


Any merchant who processes between 20,000-1 million e-commerce transactions annually.


Includes (1) Merchants processing less than 20,000 e-commerce transactions in a given year. (2) All other merchants processing up to 1 million transactions annually.


Importance of PCI Compliance

It is important to maintain PCI compliance because it demonstrates to customers, vendors and suppliers your dedication to cardholder privacy.  Essentially, PCI was introduced to:

  • Protect customers’ personal data
  • Protect your organisation from financial losses and remediation costs
  • Maintain customer trust and confidence through a higher level of data security

Businesses are required to validate compliance on an annual basis, but the measures taken to become compliant should be treated as business as usual and maintained throughout the year to truly be effective in mitigating the ever-changing landscape of threats to all types of cardholder data environments. The PCI Security Standards Council does not enforce merchant validation, they created the standard but rely on the processor to work with its merchants to comply. The individual payment brands, however, do impose financial and operational consequences to certain businesses that are not compliant.  Although validating compliance does not guarantee a business will not suffer a data compromise, which in most cases is not only financially but also brand damaging, it greatly reduces the chances of this happening.

How to Become PCI Compliant

When dealing with PCI DSS requirements, you have two options: (1) To go through the process yourself (2) To seek help from an expert such as a PCI SSC Qualified Security Assessor (QSA). Either way, the process involves various steps including:


  • Determine Your Compliance Level


Out of the four levels outlined above, you will need to figure out which level of compliance best suits your business. You will have to know how many transactions you process a year and these should be separated by channel (in-store or online), where possible. Each credit card brand may have a different definition for their compliance level so it’s best to check with them before choosing your own level.



  • Complete the Self-Assessment QuestionnaireThis questionnaire is made up of questions which are used to assess your compliance with PCI DSS requirements. There are 12 questions in total which are organised into 6 groups. There are a few variations of the SAQ but you will only need to comply with the one which corresponds most to how you handle credit card data.




  • Attestation of compliance similar to the SAQ, the Attestation of Compliance (AOC) has a few variations but you only need to complete the most relevant one. The AOC is necessary to show that your business is fully compliant with all the relevant PCI standards.




  • Submit DocumentsFinally, you need to submit the SAQ and AOC (and any other documentation you may require) to your acquirer bank and/or your credit card company.



BOIPA’s Road to PCI Compliance

We have a fully staffed Compliance Team ready to answer any questions you may have pertaining to PCI DSS validation.  In addition to the support we offer, we have partnered with an online validation program to offer merchants access to a streamlined online Self-Assessment Questionnaire (SAQ), in addition to access to quarterly vulnerability scanning performed by an Approved Scanning Vendor (ASV) and penetration testing tools.  Merchants may use our sponsored program, or we can assist with confirming alternate validation options such as submitting validation documents completed by use of another validation program vendor or assist with directing merchants to the PCI SSC website where the paper SAQ’s are available for download and completion, in addition to the list of ASV’s.

Additional links and resources: