Information on Merchant Accounts,
Ecommerce and Credit Card Processing

October 25th, 2006 by Jamie Estep

Required Actions for PCI Compliance

Filed in: Ecommerce, Fraud, Merchant Accounts | 2 comments

If you accept credit card online, this chart is for you. This chart is a simple breakdown of the PCI data compliance levels and requirements. If you accept transactions online, you fall into one of these levels. This chart explains what the requirements are to be in a specific category, and what a merchant must do to remain compliant.

The yearly cost for a level 2, 3 or 4 merchant is around $150, while the yearly cost for a level 1 merchant is more than $30,000. Because of this, it is extremely important not to ever have a data compromise. I personally recommend not storing any sensitive data online, at all, and if it is stored offline, access should be highly restricted and the data should be encrypted. Track data should never be stored anywhere, under any circumstance.

If you have a data compromise and card holder data is stolen, you should expect upwards of $100,000 in fines, arbitration fees, and regulations in addition to the additional cost of level 1 PCI certification.

Level 1 Definition:
  • Over 6 million annual Visa or MasterCard Transactions
  • Any merchant suffered a hack or attack that resulted in a data compromise
  • Any merchant that card associations, at their discretion, determine should meet requirements
  • September 30, 2004 (1 year for new Level 1 merchants)
Level 2 Definition:
  • Visa: 1M – 6M annual transactions
  • MC: 150K – 6M annual transactions
  • Self assessment questionnaire and Quarterly vulnerability scan by approved scanning vendor
  • June 30, 2005 (Sep 30, 2007 for new Level 2 Visa merchants)
Level 3 Definition:
  • Visa: 20K – 1M annual transactions
  • MC: 20K – 150K annual transactions
  • Self assessment questionnaire and Quarterly vulnerability scan by approved scanning vendor
  • June 30, 2005
Level 4 Definition:
  • Less than 20K ecommerce or 1M total Visa and MC transactions
  • Self assessment questionaire and Quarterly vulnerability scan by approved scanning vendor
  • Dates determined by merchant’s acquirer

Related Posts:
Scan Alert PCI / CISP
A Guide to Small Business Security, Free PDF Download…
CISP, SDP, PCI Compliance required for every business…

2 Responses to “Required Actions for PCI Compliance”

  1. Datasecurity October 30, 2006 at 7:52 pm

    If you would like more information about PCI DSS compliance you should check out the datasecurity blog. It outlines and clarifies the intent behind many requirements.

  2. StrongBox December 11, 2009 at 11:41 am

    I recently participated in a seminar on Secure Commerce Payment Data-Enterprice Payment Security which was hosted by Bill Zujewski-V.P.Product Marketing at ATG, Dave Glaser- V.P. Global Services at Cybersource and Chris Pogue- Sr. Security Consultant at Trustwave. The focal point of discussion was security of data in relation to the Order Management Lifecycle.
    To share my impressions briefly-I guess the main point of the seminar was that the PCI compliance regulations are merely a way to reduce the amount of fraud that is out there, but unless the data will actually be somehow completely eliminated the risk of theft and fraud will always exist- that is regardless if a company is PCI compliant or not. Therefore, as Mr. Dave Glaser said- it is time for a NEW approach- to work on ELIMINATING the data rather than CONTAINING IT. He called the containment approach that is practiced today
    – ” sub-optimal”.
    I guess one may say then, that the PCI regulations of today are implemented as a part of an ongoing process that is desperately trying to solve the “sensitive data pollution” issue and we will see many other attempts in the near future to prevent the “leaks” from happening.
    In my humble opinion,following PCI policies and regulations is one thing, however how to implement and change our data handling daily habits is another.
    How many of us REALLY do wash our hands after being out? Well the statistics show that unfortunately most of us DO NOT, yet I believe we all know about germs and how easily they spread and that the prevention of the spread of germs can be limited if we would follow one simple procedure- namely: washing our hands regularly. If I we would apply this tendency in human nature to simply “ignore danger” by not washing hands, to the way of handling sensitive data, the outlook for fraud prevention as long as it is handled by us, is …well, not very positive.
    Having a certificate of being “secured” from data fraud, is not and will not be enough.
    I believe that the success of data security lies in “hands” of each individual business owner, and it’s up to him/her to change the “data hygiene habits”. This can be done by implementing a secure business etiquette, using the correct and safe commerce /merchant payment solutions, secure processing companies, secure shopping carts and secure back-office softwares-that is, of course, in combination with implementation of good old-fashioned common sense. There are solutions that can ease the safety “routine” so why not use them?