PCI DSS Compliance Frequently Asked Questions

In BillingTree’s 2016 Collection Agency Operations and Technology Survey, collection agencies were asked how they would rate their company’s compliance risk concerns as they relate to payment processing and account maintenance regulations and guidelines.

On a scale of 1 to 10, respondents rated credit card brand guidelines concerns and the related regulatory issues with regard to recurring payments as the biggest compliance risk related to payment processing and account maintenance.

They are wise to be concerned. The Card Brands constantly monitor to ensure regulatory compliance. Among the biggest drivers of credit card compliance is the Payment Card Industry Data Security Standard (PCI DSS). In order to help with compliance, here are a few frequently asked questions about PCI.

Q1: What is PCI DSS?

A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that were designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council (PCI SSC) (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here.

Q2: To whom does the PCI DSS apply?

A: The PCI DSS applies to any financial institution or service provider, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. This includes collection agencies and any payment processors that they employ. To put it another way, if any customer of any financial service provider ever pays them using a credit card or debit card, then the PCI DSS requirements apply. This is a very important point to remember for compliance.

Q3: Where can I find the PCI Data Security Standard (PCI DSS)?

A: The current PCI DSS documents can be found on the PCI Security Standards Council website.

Q4: What are the PCI compliance ‘levels’ and how are they determined?

A: All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant listed as “Doing Business As” (‘DBA’). Merchant levels as defined by Visa are:

Merchant Level Description
1 Any merchant, regardless of acceptance channel, processing over 6 million Visa transactions per year. Level 1 can also apply to any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant, regardless of acceptance channel, processing 1 million to 6 million Visa transactions per year.
3 Any merchant processing 20,000 to 1million Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year and all other merchants, regardless of acceptance channel, processing up to 1 million Visa transactions per year.

Q5: If I only accept credit cards over the phone, does PCI DSS still apply to me?

A: Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.

Q6: Do companies using third-party processors have to be PCI DSS compliant?

A: Yes. Using a third-party processor does not exclude an agency (or any company) from PCI DSS compliance. Using a third-party processor may cut down on their risk exposure, however, it does not mean they can ignore the PCI DSS.

Q7: Are debit card transactions in scope for PCI?

A: Cards that are within the scope of PCI DSS include any debit, credit and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC; American Express, Discover, JCB, MasterCard and Visa International.

PCI DSS compliance is of crucial importance to all companies that take credit card payments. Technology solutions to support document presentation, payments and signatures are available today to help these agencies to better address these risks, including support for mobile devices.

BillingTree is committed to understanding the regulatory arena and helping our clients maintain compliance. Our clients have free access to Compliance Central, an online knowledge and resource portal that provides a one-stop resource for timely, insightful news and information specific to payment compliance. Contact us today to see how we can partner with you to stay up-to-date with the latest regulations.