PCI compliance is not optional and is  a requirement for any merchant, bank or processor who handles payment card information. Software developers and integrators that store, process or transmit such information are also required to be PCI compliant, according to the Payment Application Data Security Standard (PA-DSS) and the specific rules pertaining to the manner in which they handle data.  It is important to note that NMA or any other vendor can not declare any business PCI compliant because of any technology or other product.  Compliance comes through following the PCI steps to compliance. 

Secure payment software is but one of the building blocks to PCI compliance for merchants.  From the world's largest corporations to small Internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping each customer’s payment card data secure. The size of your business will determine the specific compliance requirements that must be met. Note that enforcement of merchant compliance is managed by the individual payment brands and not by the PCI Council – the same is true for non-compliance penalties.

PCI compliance is an ongoing process of security validation focused on preventing data breaches at the merchant level by requiring 12 basic steps to ensure a secure environment.  The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process. First, Assess -- identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Second, Remediate -- fix vulnerabilities and do not store cardholder data unless you need it. Third, Report -- compile and submit required remediation validation records (if applicable), and submit compliance reports as required by NMA or our processing partners.

Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed in a retail location or via Internet.   PCI compliance can become confusing at times because each payment card brand has their own requirements and definitions of PCI compliance levels and each brand enforces the rules independently.  The following applies to Visa merchants: 

• PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
• PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
• PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
• PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

Retail merchants categorized as PCI compliance levels 2,3, and 4 must complete an annual self-assessment questionnaire in addition to a required quarterly network scan performed by an approved scanning vendor. The nature of the questionnaires vary depending on compliance level.   Internet merchants have slightly different levels and classifications.

NMA recommends the following helpful links for information regarding PCI compliance.

To learn what your specific compliance requirements are, check with your card brand compliance program:

• American Express: www.americanexpress.com/datasecurity
• Discover Financial Services: http://www.discovernetwork.com/merchants/fraud-protection
• JCB International: http://www.jcb-global.com/english/pci/index.html
• MasterCard Worldwide: http://www.mastercard.com/sdp
• Visa Inc: http://www.visa.com/cisp

The PCI Council Website is very informative and has excellent information.

https://www.pcisecuritystandards.org/merchants/index.php (PCI COUNCIL HOME PAGE FOR MERCHANTS)

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf  (QUICK REFERENCE GUIDE FOR MERCHANTS)

PCI Compliance is every merchant's responsibility.   NMA offers assistance, compliant products, and guidance, but the bottom line is that there are no shortcuts.  We recommend getting informed if you have questions and we will gladly be a resource and help you minimize the burden on your business.

If you have further questions, or would like to know more about National Merchant Alliance’s PCI solutions, contact us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .