Cyber attacks are nearly ubiquitous, with 79% of companies facing at least one in the third quarter of 2017. Companies that handle credit card payments in any form are especially desirable targets. To keep their customers safe, credit card companies have created security standards for their merchants that protect customer data.
The Payment Card Industry Data Security Standard is a set of standards that were designed to foster a secure environment among all companies that accept, process, transmit or store credit card information. The standard was created by the Payment Card Industry Security Standards Council, which is an independent body formed cooperatively by the payment brands Visa, MasterCard, Discover, American Express and JCB. First launched in 2006, these standards are enforced not by the council, but by the payment brands you do business with.
If you are an organization that accepts, transmits or stores any cardholder data, the compliance standards apply to you and your business. Understanding your PCI Compliance Level can help you ensure that your processing is never at risk.
Understanding the Four Compliance Levels
Companies who are subject to PCI standards are divided into four different compliance levels. These levels are based on how much your process per year, as well as other details about the level of risk assessed by payment brands. At each level, you have different validation requirements. The four levels and their validation criteria are:
The least stringent compliance level is for those who process fewer than 20,000 Visa or MasterCard e-commerce transactions each year or up to one million other types of card transactions.
At Level 4, you must complete a Self-Assessment Questionnaire (SAQ) each year. You are also subject to quarterly network scans by a PCI SSC- Approved Scanning Vendor (ASV). You’ll need to complete an Attestation of Compliance form.
Merchants at this level are those performing anywhere from 20,000 to one million e-commerce transactions each year.
The validations requirements are the same as those for Level 4 compliance.
Merchants must comply with Level 2 requirements if they process anywhere from one to six million transactions each year, across all channels. The validation requirements at this level are the same for those at the lower compliance levels.
A merchant needs to comply with Level 1 requirements if they process more than six million transactions per year across any channel. Additionally, you are required to comply with Level 1 requirements if you have been subject to an attack or a data breach that resulted in any compromise of cardholder data. Payment brands may also require other merchants to comply with Level 1 requirements, at their discretion, if they decide that the risks merit it.
At Level 1, the SAQ is replaced by an Annual Report on Compliance performed by a Qualified Security Assessor. This can be performed by a Level 1 onsite assessor or an internal auditor if an officer of the company is willing to sign the assessment. Having an external auditor, such as those who work with us at I.S., can help ensure that you are complying with all requirements.
How Do You Determine Your Level?
Your level is based on data from the prior 52 weeks of business. While each major payment brand has their own table of merchant levels, Visa, Discover and MasterCard have all worked together to make their levels consistent. American Express and JCB accepts the merchant levels determined by any other card brand.
What Happens if There is a Breach?
The consequences of a breach can be devastating to a business. A breach that can cause a change in your compliance level includes any attack or incursion that leads to the exposure of data. If you have a breach, Visa reserves the right to increase your compliance level as a response. Because of the increased perceived risk, your compliance level will no longer be bound to the number of transactions you perform each year. So, if you are currently only bound by Level 4 compliance, you may find yourself having to comply with Level 1 requirements.
The acquiring bank that you work with may also, at the payment brand’s discretion, be fined anywhere from $5,000 to $100,000 per month for violations of PCI compliance. In most cases, the bank will pass the fine along until it reaches you, the merchant. Additionally, you may face increased transaction fees or even the loss of your ability to process cards.
We Can Help
At I.S. Partners, we are dedicated to helping our clients protect their assets by showing them how to stay in compliance with their financial partners’ requirements. We can help with validation tasks to make sure that your process is secure and that the people who do business with you are not at risk. We work with you throughout the validation process and help and eliminate anything that can stand between your company and payment processing. Because of the massive consequences of breaches, proper compliance is of vital importance.