PCI Compliance - How to be Compliant

Is there a way to avoid all the regulatory requirements and still be 100% compliant and secure? All companies that take card payments over the phone are subject to PCI Compliance requirements.

These levels and requirements can be very expensive to achieve and maintain, and often place burdens on IT teams and management to keep up to date.

Often these things can require system upgrades and regular audits, a headache you can do without..

Why do we have to be PCI Compliant?

PCI DSS was introduced to help business prevent fraud and help the industry get a handle on the escalating problem:

Credit card fraud costs the industry around £400million every year, and the figure is increasing.

That’s why…

 PCI Protection Without the Headaches

What is PCI Compliance really? What are the rules?

PCI Compliance (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card (payment card) information maintain a secure environment.

Compliance is set as a number of ‘levels’ and these are based on the number of transactions that you handle over a 12-month period.

Level 1

Any merchant processing over 6 million Visa transactions per year. And any merchant that Visa determines should meet the Level 1 requirements.

Level 2

Processing 1 – 6 million Visa transactions per year.

Level 3

Between 20,000 to 1 million e-commerce transactions per year.

Level 4

Any merchant processing fewer than 20,000 Visa e-commerce transactions and all other merchants processing up to 1 million Visa transactions per year.

Requirements for PCI

In order to achieve these levels, these are the requirements of the business:

Level 1

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Auditor - Internal Auditor is recommended to obtain the PCI SSC Internal Security Assessor certification
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 2

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 3

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 4

  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirement set by merchant bank

For further information on exactly what all of these individual elements entails then head to the Visa.com website PCI DSS Compliance pages.

The Headaches….

In order to be considered compliant your networks and systems have to be secure – this includes personnel if payments are taken over the phone.

You have to train all staff who take card payments, ensuring they know exactly what they need to do, and their knowledge must be monitored and tracked.

Your systems have to be kept secure from malicious attacks or intrusions, and this is a constant task as cyber capabilities are always improving.

If call recording is implemented then you have to consider how that data is stored – do you want to get a solution that blanks out when it knows credit card numbers are going to be given? Or a solution that keeps running and then stores the data and must be kept highly secure?

But does it have to be this way?

No is the simple answer.

But it depends on what you need from a business perspective. If you want to keep payment card information for your customers to make repeat purchases more simple then perhaps you want to implement all the checks and security..

Perhaps you do it already, and so this isn’t a headache at all, but my guess is if you are reading this article it is a headache..

There are solutions that enable you to take payment card information over the phone, without your agent seeing the transaction, or the numbers being seen. They also allow for your agent to maintain conversations with your customer during the process and the call recording doesn’t have to drop either.

We have seen these solutions function very well for customers of ours, removing the headaches associated with PCI DSS compliance requirements.


If you are struggling with your PCI Compliance then please tell us about your struggles, what solutions have you found that work for you?

If you want to find out more about how you can remove the headaches then get in touch.

Jonathan Sharp

Jonathan Sharp is a communications visionary and established technology business leader with 20 years’ proven excellence in driving business innovation and transformation. Sales & Marketing Director at Britannic Technologies, he puts enthusiasm into technology adoption, helping businesses to connect with their customers and staff in the most efficient and intuitive ways.

More posts from Jonathan Sharp

You might like...