Merchant Services

PCI Data Security

Protecting Cardholder Data is Good for Business – and It's Required

Providing customers with secure payment options not only provides them with more incentives to patronize your business – but is also your responsibility. In fact, failure to protect cardholder data could cost your company thousands of dollars in fines, in addition to loss of business.

Rest assured, as a Chase merchant, you have a team of data security experts ready to advise you, keep you informed of data security requirements and offer suggestions on how our solutions can help you meet them.

Payment Card Industry Data Security Standards

All merchants that accept electronic payment cards are required to follow the payment brands' rules to protect cardholder data, using their adopted common requirements, referred to as the Payment Card Industry Data Security Standards (PCI DSS). These provide merchants with a unified approach to safeguarding sensitive data.

These requirements range from removing sensitive card data from your payment terminals and processing systems, to implementing data security policies for your employees.

The complete list of standards is available for download from the PCI Security Standards Council.

Individual Payment Brand Requirements

In addition, Visa®, MasterCard® and other payment brands have their own data security programs that require merchants to safeguard credit card processing data. You'll want to visit their websites to learn more about each payment brand's requirements.

Compliance Validation

Not all compliance reporting requirements are the same – they can differ based on the merchant's level, which is determined by your processing volume. Depending on your level, you may be required to validate and report your PCI DSS compliance to your acquirer. For example, merchants with higher volumes are required to work with qualified security assessors (QSAs), internal security assessors (ISAs) and approved scan vendors (ASVs). The chart below provides an overview of each reporting level.

PCI DSS Compliance Reporting

Depending on your merchant level, you may be required to submit the relevant documentation to validate and report your PCI DSS compliance to Chase and the payment brands.

It's important to keep these points in mind:

  • Chase annually assigns a merchant level to each of our merchants, as is required by the payment brands. These levels are based on the number of transactions a merchant processes in a one-year period within a single payment brand.
  • The payment brands set their own levels. For example, while Visa and MasterCard levels are generally the same, American Express uses a separate set of criteria for establishing merchant levels and has different reporting requirements.
  • Each payment brand establishes their own criteria to determine merchant validation deadlines.
Merchant Level Criteria Requirements
1 Over 6 million Visa or MasterCard transactions in a 12-month period
  • Onsite Assessment and Report on Compliance (ROC) performed by QSA or ISA
  • Quarterly network scans by ASV
2 Between 1 and 6 million Visa or MasterCard transactions in a 12-month period
3 Between 20,000 and 1 million Visa or MasterCard ecommerce transactions in a 12-month period
4 Less than 20,000 ecommerce or less than 1 million transactions with one card brand in a 12-month period