PCI Levels: What Every Business Needs to Know
Unfortunately, cases like this have become all too common, with the first half of 2018 seeing 668 data breaches affecting 23 million records.(2) Getting hit by a breach like this can be damaging enough to your company, but if you don’t meet payment processing industry compliance standards for PCI levels, you may also be subject to fines from your credit card provider, on top of any losses from the breach itself and damage to your company’s reputation. Here’s what you need to know about PCI compliance levels to protect your customers and your company.
What Are PCI Compliance Levels
PCI levels are levels of compliance for different categories of merchants defined by the Payment Card Industry Data Security Standard (PCI DSS),(3) an industry security standard adhered to by major credit card providers. The standard was designed by the Payment Card Industry Security Standards Council (PCI SSC), an independent body set up in 2006 by Visa, MasterCard, Discover, American Express, and JCB to address the growing need for measures against cybercrime.
The standard lays out twelve sets of compliance requirements which must be followed by all companies that accept, transmit, or store credit card data. These sets of requirements are grouped into six categories representing over 200 sub-requirements, addressing:
- Building a secure network
- Protecting cardholder data
- Maintaining vulnerability management procedures
- Strengthening access control
- Monitoring and testing networks
- Maintaining information security policy
Meeting these PCI compliance standards involves a validation process that varies based on how many transactions your organization handles a year. Validation requirements fall into four PCI tier levels, which are defined by Visa as follows:
- Merchant level 4: Any merchant processing less than 20,000 Visa e-commerce transactions a year, and all other merchants processing up to 1 million Visa transactions a year regardless of acceptance channel
- Merchant level 3: Any merchant processing 20,000 to 1 million Visa transactions a year regardless of acceptance channel
- Merchant level 2: Any merchant processing 1 million to 6 million Visa transactions a year regardless of acceptance channel
- Merchant level 1: Any merchant processing over 6 million Visa transactions a year regardless of acceptance channel, or any merchant that Visa deems should meet level 1 requirements
A company that suffers a breach may have its ranking on these PCI tier levels escalated to a higher validation level to minimize risk.
How PCI Non-Compliance Can Hurt Your Business
As the PCI tier levels indicate, PCI compliance standards apply to all companies that accept, transmit, or store credit card data, no matter how small the company or no matter how few credit card transactions you process. This applies whether you process credit cards online, in person, or over the phone. It also applies if you use a third-party provider to handle your transactions.
While the PCI SSC does not itself have the authority to impose penalties for non-compliance, individual credit card providers can and will impose penalties. Credit card providers typically fine the acquiring bank $5,000 to $100,000 per month for non-compliance, and this fee ultimately gets passed on to the merchant. Your bank may then increase your fees or terminate their relationship with you. This can damage any business, and for a small business, it can be disastrous. For instance, Lodi Beer ended up paying $27,000 in fines plus another $50,000 in legal fees and other costs after breaching compliance rules by unknowingly storing credit card data in their point of sale system.(4) Over eight in ten credit card breaches affect small businesses, which are typically most vulnerable to hackers. Visa issued $3.3 million in non-compliance fines during the first year after the PCI compliance standards went into effect.
How to Become PCI Compliant
The first step towards becoming PCI compliant is to determine which of the PCI tier levels you fall into. You can then determine which validation procedures you are required to follow. Companies handling smaller volumes of transactions can complete a self-assessment questionnaire along with an attestation of compliance, and may also be required to have an approved vendor use an automated tool to scan for vulnerabilities, a procedure called a vulnerability scan. A self-assessment tool and other resources are available on the PCI SSC’s website.(5)
In order to meet PCI compliance standards, if you use third-party providers for your e-commerce services, you will need to make sure your providers also meet PCI standards. For example, if you process payments through your cloud contact center or over VoIP phone lines, you will need to use a vendor who is PCI-compliant. 8x8 provides cloud contact and VoIP services(6) that adhere to PCI-DDS security standards for e-commerce, along with other security standards such as HIPAA and FISMA that may apply to some businesses.
If your business handles credit card data, you need to know which PCI level applies to you so that you can become PCI compliant and avoid costly fines. Part of this process is making sure that any third-party providers you use follow PCI security standards. When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our form online to request a no-obligation quote from an 8x8 Product Specialist.