Compliance is one of those words that send chills down the spine, inspiring nightmares that involve blood-thirsty lawyers, courtrooms and large amounts of money. Handling customer credit card data is a serious responsibility with some attending requirements that are well worth understanding, but it needs not be all that scary for small retailers.

The Payment Card Industry (PCI) compliance regulation affects almost all merchants that accept credit and debit card payments, with the goal of securing cardholders against vulnerabilities to card data theft, misuse or loss. The driving forces behind PCI compliance policies are the major credit card payment processors – Visa, MasterCard, American Express, Discover Card and JCB International – which formed the PCI Security Standards Council to define how retailers should protect transactional data and monitor their data security performance.

Each PCI Council member has defined categories of merchants based on the number of transactions submitted per year, along with PCI audit and reporting requirements pertaining to each category. The precise definition of each category varies between the credit card companies, but we will use Visa's categories to illustrate the scale (MasterCard and American Express generally have lower thresholds for each category):

* Level 1: The highest volume merchants, which submit 6 million or more transactions per year, as well as merchants that have had a data incident or have been classified as Level 1 by another credit card company.

* Level 2: Merchants that submit 1-6 million transactions per year.

* Level 3: Merchants that submit 20,000 to 1 million e-commerce transactions per year.

* Level 4: Merchants submitting less than 20,000 e-commerce transactions per year, and all other merchants up to 1 million transactions per year

Rightfully, merchants submitting higher volumes of transactions face the most stringent PCI compliance standards and penalties, due to the risks associated with the quantity of data they possess. However, Visa reports that cardholder data is compromised more frequently among Level 4 merchants than by Levels 1, 2 and 3 combined – small wonder, because 99% of the merchants that accept Visa cards are Level 4 merchants.

Security assessment requirements for smaller merchants

Level 3 merchants are required to perform and submit an annual PCI self-assessment questionnaire, as well as to have a qualifying vendor perform a quarterly network scan and report on compliance. Acquiring banks for Level 4 merchants may require the same self-assessment and network scan – merchants should contact their acquiring bank to determine what it requires.