It is not unusual to hear on the news of yet another security breach where information regarding millions of credit cards has been compromised by hackers exploiting a retailer’s database over the Internet. In an effort to reduce credit card fraud and protect their interests and the public at large, the major players in the credit card industry banded together to form the Payment Card Industry Standards Council. This group established the PCI Data Security Standard (PCI DSS), which is used as the standard for keeping cardholder data secure and out of the hands of hackers.
Within the PCI DSS, there are four levels of PCI compliance. These levels apply to the volume and different types of credit card processing by individual merchants and apply to how they store and protect the information they gather when processing credit cards. The Council does not have legal authority to force retailers to follow the PCI DSS; however, if the retailers refuse to follow these guidelines, they may be forced to comply with a higher level of compliance as required by the individual credit card companies. All levels are required to have a network scan performed quarterly by an Approved Scanning Vendor (ASV) and complete an Attestation of Compliance. Additional steps are required according to the vendor’s designated PCI Compliance Level.
PCI Compliance Level 1
The highest level of security precautions are required for merchant accounts that process over six million credit card domestic transactions a year or participate in global transactions. A merchant in this category is required to hire a qualified security assessor to complete their annual compliance report.
PCI Compliance Level 2
This level of compliance applies to merchants with one to six million credit card processing transactions a year, whether they are through brick and mortar or e-commerce transactions. These merchants are permitted to complete a self-assessment questionnaire, rather than hiring a security assessor.
PCI Compliance Level 3
Merchants who process between 20,000 to one million e-commerce transactions a year are classified under PCI Compliance Level 3. This group is also permitted to complete their own self-assessment questionnaire each year.
PCI Compliance Level 4
This level applies to merchants who process less than 20,000 e-commerce transactions or up to one million in total of e-commerce and brick and mortar transactions. Additionally, merchants in this group are allowed to complete their own annual self-assessment questionnaires.
The cost to maintain a PCI compliance program varies according to the level required and the size of the merchant’s network, but is a necessary expense in order to conduct business. If a retailer refuses to comply or is lax in their PCI compliance, they could lose their merchant accounts with their credit card processor. Without an account, these retailers would be unable to process credit card payments for the convenience of their customers. Therefore, maintaining PCI compliance at their assigned level is essential to a merchant’s bottom line, in addition to preventing lawsuits and major financial losses due to security breaches.