To satisfy the requirements of PCI, a Merchant must do two things:
- Comply with the Data Security Standard (by meeting all of the requirements laid out in the Data Security Standard), and
- Validate their compliance. This means the Merchant must SHOW (in a manner appropriate to their size and situation) that they are complying with the Data Security Standard. For some Merchants (those with a high volume of card transactions, or with a history of security problems) validation involves on-site audits by certified professionals, but for many Merchants the primary requirements are:
- • annual completion and submission by the merchant of a PCI Self Assessment Questionnaire (the ‘SAQ’); and
- • where appropriate, undertaking a quarterly network vulnerability scan undertaken by a certified scanning company.
More information is available in the FAQ sections on Compliance and Validation.
Important: Being in Compliance does NOT automatically mean that the Merchant has met their Validation requirement (in the same way that individuals must comply with the Tax Code by paying income tax, AND validate their compliance via the use of receipts and other documents.)