With the emphasis on security for all credit and debit card transactions, it’s important for every organization that accepts credit payments to understand the details of Payment Card Industry (PCI) data security standards.
That’s because PCI applies to anyone who handles card transactions - transmitting, accepting or storing card information. It doesn’t matter the size of the business or how many transactions they handle per month or year.
Here is how PCI works and how it can affect your business. It’s important to stay compliant, as fines can reach as much as $5,000 to $100,000 per month.
A Brief History
The PCI security standards launched in September 2006. The PCI Security Standards Council developed the standards and continues to manage and administrate them.
The independent council was created by all the major credit card brands - Visa, Mastercard, American Express, Discover and JCB. These brands are charged with enforcing the standards, not the PCI security council. All the current documents from the council are kept in an online library.
The idea is to make online transactions involving credit, debit and prepaid cards as safe and secure as possible.
The PCI Levels
The PCI security council established four different levels for card transaction security. They are based on the number of transactions an organization conducts over a one-year period. All merchants all into one of the four categories.
The level is determined by the aggregate number of transactions from a merchant listed as “doing business as” (DBA). Those with more than one DBA will have transactions from all them added together to determine the level.
Here are the levels. Keep in mind that this includes all card transactions - credit, debit and prepaid. Each of the transaction numbers are for a 12-month period.
- Level 1. 6 million or more transactions as well as global transactions
- Level 2. 1 million to 6 million transactions
- Level 3. 20,000 to 1 million e-commerce transactions
- Level 4. Less than 20,000 e-commerce transactions and up to 1 million transactions for other businesses
Also, any merchant can be listed at Level 1 at the discretion of the credit card brands if they determine extra levels of security are needed. Also, any merchant who has had their system breached may get elevated to a higher level regardless of the number of transactions.
Compliance at Each Level
It’s easy enough to see what level applies to your business. But what standards must be met at each level to be in compliant with PCI standards?
Level 1. Companies at this level must hire an outside, PCI security council-approved vendor to test their system and file an annual compliance report.
Level 2. Companies at this level can do a self-assessment of their system. However, some may be required to get evidence of passing a vulnerability scan with a PCI security council-approved scanning vendor
Levels 3 and 4. At these levels, merchants are also allowed to do a self-assessment.
Some other issues that frequently come up with PCI compliance include the following, according to the PCI Compliance Guide.
- Merchants who take card orders over the phone must be PCI compliant
- Organizations that hire a third-party card processing company must also maintain PCI compliance
- Businesses with multiple locations may have to get evidence of passing a vulnerability scan at each location
- Even if a merchant doesn’t store card data, PCI standards still apply - although it’s easier to become compliant if you don’t store card data
PCI compliance is a key component to having a secure system for credit card payments. Moreover, it’s required by the major credit card companies. Every merchant that accepts cards for payment must work to ensure they meet the standards.