The Levels of PCI Compliance for Internet Marketing What Is PCI DSS Compliance, and What Are the Different Levels? Security breaches are a fact of life in today's digital marketing. Experiencing a security breach can damage any company and cause it to lose credibility, money and even its stock value. Many organizations go out of business after a major breach. That's why complying with PCI DSS, the Payment Card Industry Data Security Standard, is so important. There are four levels of PCI compliant ecommerce that cover all internet marketing companies that process, store or transmit credit card data. Choosing the right level for a given company, integrating in-house and online security protocols and making any essential upgrades are critical for securing customer information and protecting company data. The Levels of PCI Compliance for Internet Marketing The levels of PCI compliance are issued by MasterCard and Visa and apply to the number of those transactions made annually. [1] Any business that stores, processes or transmits cardholder information must be PCI compliant regardless of its size. Information that must be protected includes the Primary Account Number, Cardholder Name, Card Expiration Date, Service Code, PINs, PIN blocks, CAV2, CVC2, CVV2, CID and magnetic stripe data. [2] Here are the summary details about the compliance requirements of the four levels: Level 1 PCI Compliance Requirements This level is the highest and applies to companies that process more than 6 million credit card transactions each year. Level 1 compliant companies must conduct yearly on-site reviews using an internal auditor, if signed off on by a company officer, or a Level 1 Onsite Assessment. The site must also be scanned quarterly by an independent, Approved Scan Vendor, or ASV. Level 2 PCI Compliance Requirements Level 2 compliance (most Corporate Accounts) applies to companies that process between 1 million and 6 million transactions annually. The total includes online and brick-and-mortar sales. These companies must complete an Annual Self-Assessment Questionnaire about their in-house and online security procedures. The companies must also file an Attestation of Compliance Form and receive a Quarterly Scan by an approved ASV. Level 3 PCI Compliance Requirements Level 3 PCI DSS compliance (most SMB to Mid-tier companies) is for companies that process 20,000 to 1 million transaction per year. The requirements also include completing an Annual Self-Assessment Questionnaire, getting a Quarterly Network Scan by an ASV and filing the Attestation of Compliance Form. Level 4 PCI Compliance Requirements Companies that process fewer than 20,000 transactions (many SMBs) annual fall into the Level 4 category. Compliance requires filling out the Annual Self-Assessment Questionnaire and the Attestation of Compliance Form and getting the Quarterly Scan by an ASV. Costs of Compliance Compliance doesn’t end with just complying with the technical regulations. The questionnaire delves into the security protocols that each company uses. It’s important to remember that any breach can damage a company’s reputation, so keeping up with the latest security fixes is critical. The costs of Level 4 compliance could run as little as $60 per month. Level 3 PCI compliance might run about $1,200 a year or more depending on the business. Level 2 compliance costs range from $10,000 to $50,000 per year. Level 4 compliance tends to run $50,000 and up annually. [3] These are just the costs of demonstrating compliance and don’t include the security costs of in-house efforts to secure data. The best strategy is to enlist the aid of an experienced developer to ensure that your firewall, integrated applications and in-house security procedures meet or exceed PCI DSS requirements. Clarity ecommerce is not only a PCI-compliant ecommerce solution, but Clarity specializes in helping their clients select the correct level of PCI compliance and hardening their security practices to make maintaining compliance as easy as possible. Noncompliance Penalties Payment brands, such as MasterCard and Visa, can levy fines at their discretion on companies that fail to meet their standards. These fines can run between $5,000 to $100,000 per month for violations. The fines alone could be catastrophic for any business running on a tight profit margin. That’s why getting professional help with compliance adherence is so critical. Choosing the right developer can help to integrate third-party connections into a robust security solutions or PCI validators that adds an extra layer of security. Any new data can be validated outside of the company’s firewall before being integrated into internal operating systems. [2] In certain cases, MasterCard and Visa could refuse to accept further transactions from a repeat offender, which would compromise any business operation in today’s card-dependent society. That’s why it’s important to choose an experienced development partner and respected payment processor. Tokenization is one security method that helps to protect small businesses. Credit card information is held securely by a respected third-party provider (usually referred as a PCI provider) and a token is provided that is used for future transactions. The tokens can’t be hacked or deciphered, so credit card data is protected at all times. [4] Even if your site or database is breached, there is no credit card data stored, so your company isn’t liable for any mischievous transactions. Ensuring Compliance and Security The best approach is to hire a development partner to examine all your PCI compliant ecommerce and in-house security procedures. Web design often involves linking a bunch of old and new siloed systems, which often results in vulnerabilities. You don’t want to risk your ability to process credit cards because of a breach or suffer the consequences of your customers having their credit card data compromised. You’re legally responsible for protecting credit card data, so you need to have an experienced expert in web security working on your behalf. Clarity ecommerce adheres to all PCI compliance rules and every ecommerce solution that Clarity designs and implements is deemed PCI DSS compliant before going into full production. Give Clarity a call today to discuss your PCI compliance questions. References: [1] Onlinetech.com: Levels of PCI Compliance http://www.onlinetech.com/resources/references/levels-of-pci-compliance [2] Pcicomplianceguide.org: PCI Compliance Guide Frequently Asked Questions https://www.pcicomplianceguide.org/faq/#1 [3] Beyondsecurity.com: Frequently asked PCI compliance questions https://www.beyondsecurity.com/pci_compliance.html [4] Centurybizsolutions.net: What Does PCI Compliance Mean for Your Business? https://www.centurybizsolutions.net/pci-compliance/what-does-pci-compliance-mean-for-your-business/