A reader recently submitted the following question to Ask PCI DSS Guru:

“When will merchants be contacted with the questionnaire for compliance? I have had card processing for 8 years and have never been contacted previously.”

Depending upon your size, that may or may not be surprising. PCI SSC does not contact merchants of any size directly. The card associations place the onus on the acquiring banks to reach out to their customers and make them aware of the requirements.

Acquiring banks began this process with their largest merchants (Levels 1 and 2) back when the compliance deadline of June 2005 was set. A year and a half after the deadline, only 65% of Level 1 and 15% of Level 2 merchants had certified compliance.

Adoption was deemed too slow by the associations, which initiated the PCI Compliance Acceleration Program. The program was an attempt to move the industry along through both sticks (fines on the acquiring banks ranging from $5K to $25K per month) and carrots (incentive payments to the acquirers, if they met a new 2007 deadline).

Now Level 1 and 2 merchants were hearing from their acquirers; but Levels 3 and 4 were quite often ignored by the banks, who were risk prioritizing their efforts. In recent years, with the top merchants in compliance, banks have turned their attention to their smaller clients. Thus some merchants may only now be hearing about these requirements, first published about five years ago!

As for the requirements and questionnaire, they are available in the PCI SSC Document Library. As you get started on your PCI DSS Journey, you may wish to read An Introduction to PCI DSS.