Data Security Requirements

All merchants who accept credit cards are required to comply with the PCI Data Security Standard. Merchants are categorized into one of four levels based on transaction volume and acceptance channel, with different compliance requirements based on each level.

Merchant Level Selection Criteria Validation Actions Deadline
1 Any merchant - regardless of acceptance channel - that:
  • Processes over 6 million Visa or MasterCard transactions per year
  • Has suffered a hack or an attack that resulted in an account data compromise
  • Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa System
  • Has been identified by any other payment card brand as Level 1
Annual On-site PCI Assessment and Quarterly Network Scan completed by an ASV.
9/30/04
(Visa's new level 1 merchants have up to one year from identification to validate)
2

Visa: Any merchant - regardless of acceptance channel - that processes 1 million to 6 million Visa transactions per year

Mastercard: Any merchant - regardless of acceptance channel - that processes 1 million to 6 million MasterCard transactions per year

Annual On-site PCI Assessment and Quarterly Network Scan completed by an ASV.
6/30/05
3

Visa: Any merchant that processes 20,000 to 1 million
e-commerce transactions
per year

MasterCard: Any merchant that processes 20,000 to 150,000 e-commerce transactions per year

Annual PCI Self Assessment and Quarterly Network Scan completed by an ASV.
6/30/05
4

Visa: Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel

MasterCard: Merchants that process fewer than 20,000 MasterCard e-commerce transactions and less than
6 million MasterCard transactions regardless of acceptance channel

Annual PCI Self Assessment and Quarterly Network Scan completed by an ASV.
1/1/2006

What is the PCI Self-Assessment Questionnaire?

The questionnaire is a set of multiple-choice questions designed to understand the merchant's card acceptance and processing environment. The questionnaire has been designed to assess your compliance with the requirements of all card associations regarding your policies, procedures, administrative controls, access controls and physical security measures as they pertain to those systems that store, process or transmit cardholder data.

What is a quarterly network scan?

The scan, often called a vulnerability scan, is conducted by a third-party vendor of the merchants external-facing IPs. The scan identifies systems that are not secure, that could be open to a security breach or data compromise - especially on that would potential compromise cardholder data.

Together, the questionnaire and the scan provide a snapshot of how well a merchant is protecting the cardholder data they store, process or transmit. A passing scan and passing questionnaire will deem the merchant compliant with PCI.

If a merchant does not pass the scan and/or questionnaire, they are deemed non-compliant. A remediation plan will be necessary to address the areas of weakness, risk and vulnerability.

What happens if I am not PCI Compliant?

If you do not comply with the security requirements of the card associations, your business may be at risk of compromise. You are subject to fines from the card associations for non-compliance, and if compromised, you are at risk for financial loss, additional fines, loss of business, damage to your brand's reputation and other loss of critical systems.

If you have any questions or concerns, please contact Commerce Bank Merchant Support at 800-828-1629.

Important Disclaimers:

  • To send an email that contains confidential information, please visit the Secure Message Center where there are additional instructions about whether to use Secure Email or Online Banking messaging.