I've read a lot about PCI DSS and its requirements, but I'm unclear on what exactly determines whether an organization needs to worry about PCI DSS compliance.
We accept payments using a basic HiSpeed 6200 POS terminal which is connected to the internet through our office LAN. We aren't using VLAN's. The terminal isn't integrated with any payment processing applications, it just prints out paper receipts.
Do I need to worry about PCI DSS compliance?
If you store, transmit, or process "Account Data" you must be PCI compliant. Within the PCI DSS 2.0, "Account Data" consists of both "Cardholder Data" plus "Sensitive Authentication Data."
Cardholder Data includes:
Sensitive Authentication Data includes:
When the exact definition is in question, the glossary helps.
How this data is handled determines what PCI Self Assessment Questionnaire (SAQ) is applicable to your business. Unfortunately, you do not provide enough information for me to confidently identify what SAQ is applicable to your business. An excerpt from the SAQ guide should help:
SAQ A -- Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
SAQ B -- Imprint-only merchants with no electronic cardholder data storage, or standalone, dialout terminal merchants with no electronic cardholder data storage
SAQ C-VT -- Merchants using only web-based virtual terminals, no electronic cardholder data storage
SAQ C -- Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
SAQ D -- All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.
Additionally, the volume of transactions you process determines what PCI level is applicable to your business. While this varies between card companies slightly, they are usually very similar. Additionally, the requirements for levels vary between Service Providers and Merchants. All levels require quarterly scans. Most require annual self assessments. Finally, at level 1, you must have a Qualified Security Assessor (QSA / auditor) complete your Report on Compliance. (ROC)
While if you fall under the qualifications identified above, you will officially have to be PCI compliant on some level. Nevertheless, your bank or acquirer is going to ultimately determine your PCI reporting requirements. Do your homework and then contact your bank, they are your best bet for determining the final expectations.
Generally, if you store payment card data somewhere, you will be audited by the PCI-DSS police(AMEX,VISA,MASTERCARD). If you are using a 3rd party for the transactions and storing of payment card data, then they should be able to provide you with their PCI-DSS audit report/certification. They may also require you to comply to their rules, via service agreement/contract.
Yes, anybody who accepts Visa payment must be PCI DSS compliant.
However, Visa does not require level 4 merchants to validate their compliance.
Your bank will be best placed to advise you on this.
However from what you've detailed in your question, you are accepting payments by a hand-held terminal. This will be printing off receipts for the cardholder and a merchant receipt for your records.
Those merchant receipts are called 'paper media' under the DSS and you are mandated to store those receipts securely and only authorised personnel should have access to them. DSS even mandates how media, physical or electronic is handled, recorded and disposed of.
If you in any doubt at all, call your bank who will be able to clarify the position, but from what you've detailed here, you are required to be PCI DSS compliant.