Many business owners think that data breaches and theft only happen to giant companies – but that is just not true.
Starting businesses can also be a victim to this, long as data is being exchanged between customers and organizations. The PCI-DSS contains a set of requirements to help organisations prevent data breaches and card fraud. Currently, there are four PCI compliance levels which are determined by the number of transactions a company handles each year.
In this article, you’ll understand what PCI-DSS means and what level your organization belongs in.
Payment Card Industry Data Security Standard (PCI-DSS) Overview
Launched on September 07, 2006, Payment Card Industry Data Security Standard, or simply PCI-DSS, refers to a set of standards all businesses follow to ensure a secure environment towards the different card transactions they have with their clients. This is generally mandated by credit card companies and is discussed in their credit card network agreements.
PCI-DSS offers a framework for companies to identify and address data threats and vulnerabilities towards credit cards used for payments. It helps businesses build a trusting relationship with their clients and holds them accountable should data breach occur.
Any business entity that accepts, processes and stores payment card information of their customers are required to comply with PCI-DSS. If a data breach happens and an organization was proven to be non-compliant at that moment, they may face hefty fines and fees as well as reputational damage and the loss of their customers’ trust.
PCI standards council
The PCI Security Standards Council, or PCI SSC, is an independent body created by several credit card companies like Visa, MasterCard, American Express, Discover and JCB to administer, maintain, and promote PCI-DSS for the safety of cardholder data worldwide.
PCI SSC provides comprehensive measures and materials, that includes specific frameworks, tools and resources to help businesses ensure the security of their cardholder clients at all times.
They provide the necessary plan for developing complete payment card data security processes that includes prevention, detection and appropriate reaction to security incidents. They are also responsible for the development of the standards for PCI-DSS compliance.
PCI-DSS Level 1,2,3 and 4
The PCI SSC created different levels for PCI-DSS compliance depending on the number of credit or debit card transactions a business processes every year. This classification level determines what a company needs to do to remain compliant.
In identifying what level your business belongs to, you may encounter the word “merchant” a lot of times.You should not be confused. It refers to any entity that accepts payment cards as payment for goods and services. This simply means your business.
PCI-DSS Level 1
This applies to merchants processing over 6 million card transactions per year, across all channels. Any businesses that have had a data breach over the course of the year may also be classified under this.
If your company belongs to PCI Merchant Level 1, you must do an annual third-party audit to verify compliance and do a network scan by an approved scanning vendor (ASV) every quarter. PCI Merchant Level 1 organizations must also complete an annual Attestation of Compliance (AoC) as well as a Report on Compliance (RoC).
PCI-DSS Level 2
Merchants processing 1 to 6 million card transactions per year, across all channels, fall under this level.
If your company is considered to be a PCI Merchant Level 2, you’ll need to conduct the PCI-DSS Self-Assessment Questionnaire (SAQ).
Additionally, the company will need to go through network scans with an ASV every quarter, as well as receive an AoC annually.
PCI-DSS Level 3
PCI-DSS merchants under level 3 usually handle 20,000 to 1 million card transactions per year. Just like the PCI Merchant Level 2 requirements, your organization is also required to conduct the PCI DSS SAQ, as well as go through quarterly network scans with an ASV. You are also requested to complete an AoC annually.
If your organization is deemed a PCI Merchant Level 3 but falls victim to a data breach that impacts cardholder information, you may be penalized by making you meet the requirements of another level, usually those of PCI Merchant Level 1.
PCI-DSS Level 4
This is where small to medium-sized businesses usually fall on. Merchants handling fewer than 20,000 card transactions per year are grouped on this level.
A yearly assessment using the relevant SAQ must be completed and a quarterly network scan may be required. Just like the other levels, you must also complete an AoC annually.