Course Merchant – PCI Compliance Information
Course Merchant itself is not a Payment Application, it does not store, process or transmit credit card data. In all cases, Course Merchant connects to hosted payment pages from Internet Payment Services providers such as authorize.net, Paypal, WorldPay, SagePay and others. Because of this, Course Merchant does not require PCI compliance. PCI compliance is gained via your account with an Internet Payment Application.
Where is PCI DSS Needed?
“The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.”
Source: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf, the current version of the Payment Card Industry (PCI), Data Security Standard (PCI DSS).
Note that the Primary Account Number (PAN) is a credit card number. Course Merchant does not take this data from a customer. Customers purchasing via Course Merchant are actually entering their credit card data into forms on hosted payment pages from Internet Payment Services providers.
How do Course Merchant users declare their PCI compliance?
Firstly, make sure your Internet Payment Service provider (authorize.net, Paypal, etc) is suitably PCI compliant. This will almost certainly be the case as Course Merchant does not have any integrations with non-compliant Internet Payment Service providers.
Secondly, make sure you adopt security standards and policies appropriate to the four levels of PCI DSS compliance. These policies cover such areas as password policies, data storage policies, computer access policies, etc. To assure yourself and others that you meet the security requirements of PCI DSS, you should undertake a PCI DSS Self Assessment Questionaire.
If a Course Merchant customer wishes to self declare their PCI DSS compliance, they should review the information at https://www.pcisecuritystandards.org/security_standards/index.php in order to find:
1. The appropriate PCI DSS Self-Assessment Questionnaire (SAQ)
The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures.
2. Approved Scanning Vendors
Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.
By completing the PCI DSS Self Assessment Questionaire and having a vulnerability scan performed by an Approved Scanning Vendor, a company may ‘self declare’ their PCI Compliance.
What are the four levels of PCI DSS Compliance?
Whether or not you need an onsite security audit, or how often you must complete a Self-Assessment depends on which of the four levels of PCI DSS compliance your company falls into. These are the four levels:
Level 1 Criteria: Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised.
Level 1 Validation Requirements
Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan
Level 2 Criteria: Merchants with 1,000,000 to 6 million transactions a year
Level 2 Validation Requirements
Annual Self-Assessment Questionnaire (“SAQ”)
Quarterly network scan by ASV
Attestation of Compliance Form
Level 3 Criteria: Merchants with 20,000 to 1,000,000 transactions a year
Level 3 Validation Requirements
Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
Level 4 Criteria: Merchants with less than 20,000 transactions a year
Level 4 Validation Requirements
Annual SAQ recommended
Quarterly network scan by ASV if applicable
Compliance validation requirements set by acquirer
