Using a payment card rather than cash or a check has revolutionized how people pay for things. Any organization that accepts payment cards must comply with the international governing rules that were established by the Payment Card Industry Security Standards Council (PCI SSC). These rules mandate that any entity that accepts the cards for payment must maintain the safety and security of the data belonging to their customers and cardholders. Whether you accept, process, transmit or store payment card data, you and your enterprise must comply with the A1 PCI SSC rules or risk penalties and fines.
What is the PCI SSC?
At the core of the SSC are its five founding members, each of which is a globally significant payment card issuer – Visa, MasterCard, AMEX, Discovery and JCB International. Together, these five financial companies control the vast majority of the world’s payment card transactions by issuing those cards to cardholders to use and licensing merchants and other entities (“acquirers”) to accept.
How does the PCI SSC Control Payment Card Activity?
Each PCI SSC member authorizes acquirers and merchants to offer and accept logoed payment cards to use for financial transactions. For this purpose, an “acquirer” is a financial institution that processes payment card transactions for merchants. A “merchant” is any organization that accepts, transmits or stores cardholder data. Merchants obtain the license to accept the cards through either the PCI member directly, or through an acquirer, such as a bank or credit union. Cardholders who use the cards also receive them through a financial institution. Each authorized card is emblazoned with the logo of the issuing PCI SSC member.
Consequently, the data contained on each card reveals both the ‘personally identifying information’ (PII) of the cardholder as well as the institutional information related to that account. It is therefore highly sensitive – bank account numbers, full names, addresses, etc. – and includes all the information that attracts cyber thieves. Accordingly, the PCI SSC requires that all entities that accept the cards maintain high security and privacy data protection standards to protect the financial and personal privacy of cardholders. Any credit or debit card either used or accepted that sports one of the five logos is subject to the rules of the PCI SSC.
PCI Compliance Levels
Recognizing that not all issuing entities are the same, the Council established a series of PCI compliance levels based on card usage and established compliance standards specific to each level. Each level represents a certain level of risk of data breach; the more payment card transactions that occur, the higher the risk of breach. Therefore, each compliance level has escalated and more stringent security levels because it also represents a higher level of risk.
The Four PCI Compliance Levels
All merchants that accept PCI-issued cards fall into one of the four PCI compliance levels. Each compliance level bases its parameters on the number of Visa transactions (including credit, debit or prepaid transactions) that occur within a 12-month period by any merchant “Doing Business As” (DBA) a registered entity. The total Visa transaction volume for companies that ‘DBA’ multiple entities will determine the compliance level to the extent that they aggregate that consumer data into a single data pool. If each separate DBA entity maintains its own transactional database, then the volume of transactions handled by each separate DBA entity determines its PCI compliance level. Companies with the highest total volume of Visa transactions are at PCI Compliance level 1, while those with the fewest are at PCI Compliance level 4.
PCI Compliance Level 1
Level 1 merchants must comply with the highest security standards, and are identified by three criteria:
- They handle more than six million Visa transactions in a single 12-month period, or
- They’ve suffered a previous data breach or cyber attack that caused the compromise of consumer data, or
- They are identified as a Level 1 by any card association.
PCI Compliance Level 2
These merchants handle between one and six million Visa or Mastercard transactions in the 12-month period.
PCI Compliance Level 3
These merchants handle from 20,000 to one million Visa or Mastercard transactions within a year, and
PCI Compliance Level 4
These small merchants handle less than 20,000 Visa or Mastercard e-commerce transactions each year and up to one million total Visa or Mastercard transactions annually.
At the least, Visa and MasterCard require submission of four PCI compliance validation documents to prove that your company is compliant at its ascertained level (some acquirers mandate additional validation steps). To prove compliance, all merchants at any level must submit to their Visa or MasterCard acquirer:
- an “Annual Self-Assessment Questionaire” (SAQ). There are six SAQ’s, each related to the channels each merchant uses to access payment card information.
- a quarterly network scan of the merchant’s data security system issued by an “Approved Scan Vendor” (ASV), and
- an Attestation of Compliance Form.
- Additionally, Level 1 compliance also requires submission of an “Annual Report on Compliance” (ROC) generated by “Qualified Security Assessor” (QSA).
The convenience of today’s payment card system makes it easier and safer for both merchants and consumers to complete transactions from virtually any location in the world. Merchants who accept those cards may have a few hoops to jump through to maintain their security, but the revenue-building opportunities they present are unsurpassed. If you’re concerned about how your enterprise manages its PCI data security compliance procedures, talk to an experience managed IT services provider to ensure that you’ve both achieved and are maintaining compliance with PCI standards.