To start with here is the website:
https://www.pcicomplianceguide.org
https://www.pcisecuritystandards.org/document_library
Here are the three big questions:
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
A: The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
A: The current version is PCI DSS v3.2.
Click here PCI_DSS_v3-2 to download the Data Security Standard document.
What are “Merchant Levels” and does it affect me?
Look at the “Merchant Levels” below and find the one that you fit into. The difference between the levels is going to be, if you were attacked and the total amount of sales you have in a year.
Source: pcisecuritystandards.org
Approved Scanning Vendors (ASV)
Listed below are the Merchants levels, criteria, and related validation requirements for VISA and MasterCard. And though there are technically three (3) other major payment brands (AMEX, Discover, and JCB), compliance with the two (2) noted brands generally covers the others:
Merchant Level: 1
Merchant Criteria: (1). Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year. (2). Any merchant that has had a data breach or attack that resulted in an account data compromise. (3). Any merchant identified by any card association as Level 1.
Validation Requirements: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company. (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form
Merchant Level: 2
Merchant Criteria: 1 million – 6 million Visa or MasterCard transactions annually (all channels).
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
Merchant Level: 3
Merchant Criteria: Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
Merchant Level: 4
Merchant Criteria: Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.
If you purchase all the modules from the same vendor, “How many customer databases will there be?”
You would think just “one” database, well that is definitely not always true. What this means for you is when you pull reports, are they accurate?
Do you have to double input the same information in both the PMS and then the Spa software? A good example of where this comes into play is a centralized reservation system. Your staff will have to add the customer demographics to the PMS software to create a reservation and then re-enter the information again in the Spa software to make a spa appointment. You can plan on having frustrated staff, not to mention the guest will have to give the information two times; don’t write the credit card information down on paper (PCI compliance issues). It is highly recommended you select software that either replicates the data input from the spa software to the PMS and vice verse. NOTE: A single database is not always required as long as the replication is “perfected” and you are not the genie pig.