The Four Levels of PCI Compliance For Restaurants and Retail

Your Source for Restaurant Marketing & Retail Marketing Best Practices

Posted by Jonah Babnick on Jul 24, 2018 8:00:00 AM
Jonah Babnick

With the emphasis on security for all credit and debit card transactions, it’s important for every organization that accepts credit payments to understand the details of Payment Card Industry (PCI) data security standards.

That’s because PCI applies to anyone who handles card transactions - transmitting, accepting or storing card information. It doesn’t matter the size of the business or how many transactions they handle per month or year.

Here is how PCI works and how it can affect your business. It’s important to stay compliant, as fines can reach as much as $5,000 to $100,000 per month.

A Brief History

The PCI security standards launched in September 2006. The PCI Security Standards Council developed the standards and continues to manage and administrate them.

The independent council was created by all the major credit card brands - Visa, Mastercard, American Express, Discover and JCB. These brands are charged with enforcing the standards, not the PCI security council. All the current documents from the council are kept in an online library.

The idea is to make online transactions involving credit, debit and prepaid cards as safe and secure as possible.

The PCI Levels

The PCI security council established four different levels for card transaction security. They are based on the number of transactions an organization conducts over a one-year period. All merchants all into one of the four categories.

The level is determined by the aggregate number of transactions from a merchant listed as “doing business as” (DBA). Those with more than one DBA will have transactions from all them added together to determine the level.

Here are the levels. Keep in mind that this includes all card transactions - credit, debit and prepaid. Each of the transaction numbers are for a 12-month period.

  • Level 1. 6 million or more transactions as well as global transactions
  • Level 2. 1 million to 6 million transactions
  • Level 3. 20,000 to 1 million e-commerce transactions
  • Level 4. Less than 20,000 e-commerce transactions and up to 1 million transactions for other businesses

Also, any merchant can be listed at Level 1 at the discretion of the credit card brands if they determine extra levels of security are needed. Also, any merchant who has had their system breached may get elevated to a higher level regardless of the number of transactions.

Compliance at Each Level

It’s easy enough to see what level applies to your business. But what standards must be met at each level to be in compliant with PCI standards?

Level 1. Companies at this level must hire an outside, PCI security council-approved vendor to test their system and file an annual compliance report.

Level 2. Companies at this level can do a self-assessment of their system. However, some may be required to get evidence of passing a vulnerability scan with a PCI security council-approved scanning vendor

Levels 3 and 4. At these levels, merchants are also allowed to do a self-assessment.

Other Issues

Some other issues that frequently come up with PCI compliance include the following, according to the PCI Compliance Guide.

  • Merchants who take card orders over the phone must be PCI compliant
  • Organizations that hire a third-party card processing company must also maintain PCI compliance
  • Businesses with multiple locations may have to get evidence of passing a vulnerability scan at each location
  • Even if a merchant doesn’t store card data, PCI standards still apply - although it’s easier to become compliant if you don’t store card data

PCI compliance is a key component to having a secure system for credit card payments. Moreover, it’s required by the major credit card companies. Every merchant that accepts cards for payment must work to ensure they meet the standards.

guest wi-fi at restaurants

Tags: PCI Compliance

WiFi Marketing Practices for Restaurants and Retail Straight to Your Inbox!

Intelligentsia

noun in·tel·li·gent·sia

"A group of intelligent and well-educated people who guide or try to guide the political, artistic, or social development of their society."

The Bloom Intelligentsia blog keeps Bloom Intelligence's clients, supporters and partners updated about social WiFi, big data analytics, and cloud-based marketing for restaurants and retail locations. Subscribe to receive notification about new posts concerning:

  • How to use social WiFi to understand your customers and affect customer buying behavior,
  • Restaurant and retail marketing best practices,
  • Bloom Intelligence client case studies, and
  • News and updates about Bloom Intelligence.

Recent Posts

Posts by Topic

see all