A Beginner's Guide to the PCI Compliance Levels

Many business owners tend to think data breaches and cardholder data theft can only happen to giant business entities such as Sony, Home Depot, and Target.

But is this really true?

In this blog post, you'll learn how SMEs are just as vulnerable to data breaches, how PCI compliance can help, and how to find your current level of PCI compliance.

The 4 Levels of PCI Compliance

The PCI DSS council was founded by major credit card companies. Each of these card brands have their own set of compliance levels: Visa, Mastercard, Discover, American Express, and JCB.

Although it may be quite confusing to figure out your current compliance level if you're dealing with multiple card companies, PCI Guru can clear things up for you:

While Visa, MasterCard and Discover have their own table of merchant levels, if you compare them, you will note that Visa, MasterCard and Discover have gotten together and decided to use the same criteria for determining merchant levels. So, if the only credit cards you accept as a merchant are Visa, MasterCard and/or Discover, you only need to reference the Visa tables as their merchant level criteria are all the same.

But for those merchants that accept American Express and/or JCB in addition to the other card brands, do not fret. The card brands have made things easy for you as well. If you are a given merchant level for any other card brand, you are that merchant level for every card brand.

The following are the 4 levels of PCI compliance:

Level 1: Merchants processing over 6 million card transactions per year.
Level 2: Merchants processing 1 to 6 million transactions per year.
Level 3: Merchants handling 20,000 to 1 million transactions per year.
Level 4: Merchants handling fewer than 20,000 transactions per year.

Cardholder Data Threats

Before you declare there's nothing to fret about and that you're not putting your customers' payment card data at risk because you're a small business, consider the following statistics:

  • According to small-business financing provider Balboa Capital Group, 18 percent of businesses with fewer than 250 employees experienced a cyber-attack in 2011. This number doubled to 36 percent in 2014.
  • The latest report by Verizon on PCI compliance highlights PwC research findings of an alarming increase in data breach cases, estimated at an average of 66 percent per year since 2009.
  • Smart Card Alliance reveals that together the Home Depot and Target data breaches have cost credit unions and members nearly 100 million dollars in the last year.

Judging from these figures, you might conclude that small and medium-sized enterprises (SMEs) are probably scrambling in panic over the thought of data breaches. If fraudsters can fool the big guy, surely small businesses are more likely to be vulnerable, right?

It turns out, this isn't the case. In 2014, the same year data breaches were happening left and right, a survey revealed that SMEs underestimated the threat of cyber attacks. A whopping 82 percent of SMEs declared they weren't worried about the attacks because they didn't have anything worth stealing.

PCI Compliance

To address the growing threat of data breach among payment cards, the Payment Card Industry Data Security Standard (PCI DSS) was drafted.

According to the PCI Security Standards Council, PCI DSS is a set of universally accepted standards that help protect the safety of customer data. PCI DSS sets the operational and technical requirements for organizations accepting or processing payment transactions, as well as for software developers and manufacturers of the applications and devices used in those transactions.

Put simply, any business entity that is involved in accepting, processing, and storing payment card information is required to comply with PCI DSS.

The most recent version of PCI DSS, version 3.1, was announced in April 2015. Currently, there are 12 requirements for businesses to meet in their PCI compliance journey, ranging from securing firewall configurations to utilizing a robust file-monitoring integrity system. These requirements not only ensure organizations are compliant for a certain period of time but that they are also continuously tracking and monitoring critical changes.

Noncompliance may result in a fine of $5,000 to $500,000 for the acquiring bank, who in turn passes along the fines to the offending merchant. For those who are already PCI compliant, data breaches could translate to another set of fines, including suspension of credit card acceptance. It's important to note that the council won't penalize you for non-compliance. However, your bank may hold you accountable for non-compliance.

The First Step to PCI Compliance

Two myths persistently follow PCI Compliance:

  • The First, that it's a headache to meet the requirements. In actuality, the requirements are beneficial and make good business sense.
  • The Second, that small businesses that handle just a couple credit card transactions a year don' thave to comply with PCI-DSS.

PCI compliance exempts no one. And meeting all 12 requirements doesn't have to feel like you're on an expedition to climb Mt. Everest.

Now that it's clear how PCI compliance is critical not just to protect your customers' data but to also project the trustworthiness of your business, figuring out your merchant compliance level is your first step to PCI compliance.

Who Will Validate Your PCI Compliance Level?

Validating compliance is either accomplished through a Self-Assessment Questionnaire (SAQ) or annual audits by qualified security assessors who will come up with their findings through an ROC (Report on Compliance).

Take note that card brands and/or your acquiring bank may impose additional requirements before they can declare that your organization is a level 1, 2, 3 or 4.

 

PCI Self-Assessment Questionnaire

 

Why Do Acquiring Banks Have a Say in Your PCI compliance?

As earlier mentioned, banks bear the brunt of noncompliance fines from card brands before it gets to you. Picture them as the middle man. Thus, it's only fitting for them to assess where you are exactly in the compliance map.

How CimTrak Lightens Your PCI Compliance Load

Given that data breaches still occur in organizations that are already compliant with PCI DSS, continuous monitoring is critical.

As an advanced integrity and PCI compliance tool, CimTrak's job is to detect and notify you of suspicious changes. It also has the ability to instantaneously revert these changes. Think of CimTrak as your PCI compliance cop who's on call 24-7.

Whether you're at Level 1 or Level 4 with PCI compliance, our resident PCI geeks are adept at answering all your PCI compliance questions. Contact us today!

PCI Compliance Checklist eBook

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".