Does the use of a POS terminal mean I need PCI DSS compliance?
Solution 1:
Generally, if you store payment card data somewhere, you will be audited by the PCI-DSS police(AMEX,VISA,MASTERCARD). If you are using a 3rd party for the transactions and storing of payment card data, then they should be able to provide you with their PCI-DSS audit report/certification. They may also require you to comply to their rules, via service agreement/contract.
Solution 2:
If you store, transmit, or process "Account Data" you must be PCI compliant. Within the PCI DSS 2.0, "Account Data" consists of both "Cardholder Data" plus "Sensitive Authentication Data."
Cardholder Data includes:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data includes:
- Full magnetic stripe data or equivalent on a chip
- CAV2/CVC2/CID/CVV2
- PINs/PIN blocks
When the exact definition is in question, the glossary helps.
How this data is handled determines what PCI Self Assessment Questionnaire (SAQ) is applicable to your business. Unfortunately, you do not provide enough information for me to confidently identify what SAQ is applicable to your business. An excerpt from the SAQ guide should help:
SAQ A -- Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
SAQ B -- Imprint-only merchants with no electronic cardholder data storage, or standalone, dialout terminal merchants with no electronic cardholder data storage
SAQ C-VT -- Merchants using only web-based virtual terminals, no electronic cardholder data storage
SAQ C -- Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
SAQ D -- All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.
Additionally, the volume of transactions you process determines what PCI level is applicable to your business. While this varies between card companies slightly, they are usually very similar. Additionally, the requirements for levels vary between Service Providers and Merchants. All levels require quarterly scans. Most require annual self assessments. Finally, at level 1, you must have a Qualified Security Assessor (QSA / auditor) complete your Report on Compliance. (ROC)
While if you fall under the qualifications identified above, you will officially have to be PCI compliant on some level. Nevertheless, your bank or acquirer is going to ultimately determine your PCI reporting requirements. Do your homework and then contact your bank, they are your best bet for determining the final expectations.
- Visa Merchant Levels
- MasterCard Merchant Levels
Solution 3:
Yes, anybody who accepts Visa payment must be PCI DSS compliant.
All merchants who are involved in the Visa payment process are required to be compliant with the PCI Data Security Standard. The standard is the foundation for the Account Information Security Program.
Source: Visa Account Information Security Merchant Guide
However, Visa does not require level 4 merchants to validate their compliance.
Level 4 Merchants: Completion of the Annual PCI Questionnaire and the PCI Security Scans are optional, but highly recommended. Based on Acquires discretion, certain Level 4 merchants may need to validate compliance with the PCI DSS. Although Level 4 merchants are not required to validate compliance at this time, their network must be PCI-DSS compliant.
Source: Fraud Prevention & Security, Merchant Resources | Visa.ca
Solution 4:
Your bank will be best placed to advise you on this.
However from what you've detailed in your question, you are accepting payments by a hand-held terminal. This will be printing off receipts for the cardholder and a merchant receipt for your records.
Those merchant receipts are called 'paper media' under the DSS and you are mandated to store those receipts securely and only authorised personnel should have access to them. DSS even mandates how media, physical or electronic is handled, recorded and disposed of.
If you in any doubt at all, call your bank who will be able to clarify the position, but from what you've detailed here, you are required to be PCI DSS compliant.