Data Security Requirements
All merchants who accept credit cards are required to comply with the PCI Data Security Standard. Merchants are categorized into one of four levels based on transaction volume and acceptance channel, with different compliance requirements based on each level.
| Merchant Level | Selection Criteria | Validation Actions | Deadline |
|---|---|---|---|
| 1 | Any merchant - regardless of acceptance channel - that:
|
Annual On-site PCI Assessment and Quarterly Network Scan completed by an ASV. |
9/30/04 (Visa's new level 1 merchants have up to one year from identification to validate) |
| 2 | Visa: Any merchant - regardless of acceptance channel - that processes 1 million to 6 million Visa transactions per year Mastercard: Any merchant - regardless of acceptance channel - that processes 1 million to 6 million MasterCard transactions per year |
Annual On-site PCI Assessment and Quarterly Network Scan completed by an ASV. |
6/30/05
|
| 3 | Visa: Any merchant that processes 20,000 to 1 million MasterCard: Any merchant that processes 20,000 to 150,000 e-commerce transactions per year |
Annual PCI Self Assessment and Quarterly Network Scan completed by an ASV. |
6/30/05 |
| 4 | Visa: Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel MasterCard: Merchants that process fewer than 20,000 MasterCard e-commerce transactions and less than |
Annual PCI Self Assessment and Quarterly Network Scan completed by an ASV.
|
1/1/2006 |
What is the PCI Self-Assessment Questionnaire?
The questionnaire is a set of multiple-choice questions designed to understand the merchant's card acceptance and processing environment. The questionnaire has been designed to assess your compliance with the requirements of all card associations regarding your policies, procedures, administrative controls, access controls and physical security measures as they pertain to those systems that store, process or transmit cardholder data.
What is a quarterly network scan?
The scan, often called a vulnerability scan, is conducted by a third-party vendor of the merchants external-facing IPs. The scan identifies systems that are not secure, that could be open to a security breach or data compromise - especially on that would potential compromise cardholder data.
Together, the questionnaire and the scan provide a snapshot of how well a merchant is protecting the cardholder data they store, process or transmit. A passing scan and passing questionnaire will deem the merchant compliant with PCI.
If a merchant does not pass the scan and/or questionnaire, they are deemed non-compliant. A remediation plan will be necessary to address the areas of weakness, risk and vulnerability.
What happens if I am not PCI Compliant?
If you do not comply with the security requirements of the card associations, your business may be at risk of compromise. You are subject to fines from the card associations for non-compliance, and if compromised, you are at risk for financial loss, additional fines, loss of business, damage to your brand's reputation and other loss of critical systems.
If you have any questions or concerns, please contact Commerce Bank Merchant Support at 800-828-1629.
Important Disclaimers:
- To send an email that contains confidential information, please visit the Secure Message Center where there are additional instructions about whether to use Secure Email or Online Banking messaging.
