Getting PCI Compliant


Written by Editorial Team

Published May 2018

In this article...

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard set by the PCI Security Standards Council.  It applies to organisations that store, process or transmit cardholder information from any of the globally recognised card schemes, including Visa, MasterCard and American Express.

How does it affect you?

Following changes to Visa’s Account Information Security Programme, from 1st October 2009 all merchants processing less than 1 million transactions annually (Level 2, 3 and 4) must process via a PCI DSS certified provider, such as Pay360, or provide certification of their own PCI DSS compliance to their acquirer.

If you do not comply with this industry standard then you are liable to incur substantial fines enforced by the card schemes and you could also find yourself being permanently banned from any further card processing.

(Since January 2005, more than 234 million records with sensitive cardholder data have been breached globally 'Source: PCI Security Standards Council').

If you process your online payments using Pay360’s hosted payment pages your payment processing already meets full PCI Compliance, however, you will still need to complete a Self Assessment Questionnaire. If you store, transmit or process any card holder data on your own business network (an API solution) then you will also need to have quarterly vulnerability scans.

Regardless of how you process your online card payments, read on to find out what steps you need to take to ensure that your business is fully PCI Compliant.

Some commonly held myths

“I only process a small number of transactions so don’t need to be PCI compliant.”
False – All merchants, large or small, need to be PCI compliant.

“I only need to complete a self-assessment questionnaire to become PCI compliant.”
False – if you are using your own payment pages, you will need to ensure that your systems are secure and will need to comply with the 12 PCI DSS requirements. If you are using the Pay360's payment page, you can take comfort in the knowledge that we have achieved full PCI compliance.

“I will get around to achieving PCI compliance when I have the time – it’s too much work.”
We would not recommend this approach. Our banking partners are required to report to Visa and MasterCard on all merchants, including those that are not compliant with no clear action plans to address any known issues. The fines that card schemes can levy for a non-compliant merchant are high. If you then experience a security breach on your own systems (where you are maintaining your own payment pages) daily fines can be levied and your ability to process card payments can be removed.

What do I need to confirm compliance?

The level of data you need to provide is largely dependant on the number of transactions you process each year.

Level Criteria Onsite Security Audit Self-Assessment Questionnaire Network Scan
  • Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year
  • Any merchant that suffered a security breach resulting in account compromise
    Scan required quarterly
  • Any merchant processing between 1 to 6 million transactions per year
  SAQ required annually Scan required quarterly
  • Any merchant processing between 20,000 to 1 million transactions per year
  SAQ required annually Scan required quarterly
  • All other merchants
  SAQ required annually Scan required quarterly














For merchants that process using Pay360’s payment pages (hosted solution), there is no requirement for a quarterly scan to be provided as this will be covered by our own Level 1 PCI DSS Compliance validation. This is however dependent on the fact that you don’t store, transmit or process any card holder data on your own business network if your website is hosted in a different location.

Self Assessment Questionnaire and Network Scans

On an API solution, in order to meet PCI Compliance your network needs to be scanned on a quarterly basis.  In addition, Level 2, 3 and 4 merchants need to complete a Self Assessment Questionnaire (SAQ) on an annual basis.  Level 1 merchants will require an annual onsite audit.

There are four different self-assessment questionnaires but you only need to complete the one that’s applicable to your business:

  • SAQ A
    For merchants in a Card Not Present (CNP) environment where all cardholder data functions are outsourced – this applies to you if you process card payments using’s payment pages
  • SAQ B
    Merchants with standalone dial-out terminals only not connected to the internet and to any other systems and no cardholder data storage onsite
  • SAQ C
    Merchants with POS systems connected straight to their service provider via the internet so no electronic cardholder data is stored onsite.
  • SAQ D
    For merchants in a Card Not Present (CNP) environment where all cardholder data functions are initially processed internally.

Sign up for similar content

Receive the latest insight and tips, straight to your inbox and learn how to maximise the success of your business.