Payment Card Industry Data Security Standard (PCI DSS) compliance is essential for any ecommerce business, but did you know that there are different degrees of PCI compliance? When choosing a merchant services provider or payment gateway, Level 1 PCI compliance is the gold standard. In some cases, you may be required to have this kind of protection for your site.
What Is PCI Compliance?
PCI compliance refers to a set of initiatives established by the PCI Security Standards Council. There are 12 requirements intended to protect ecommerce websites from cyber threats and fraud.
- You need a secure firewall
- You need secure passwords for sensitive logins
- You must take steps to secure cardholder data
- All transactions must be encrypted
- You must install and maintain current antivirus software
- You must ensure that your internal systems and apps are secure at all times
- You must only make cardholder data available to essential users
- Each user with back-end access to your store must have a unique ID
- You must restrict physical access to cardholder data
- You must track and monitor all user access to cardholder information
- You must test and audit your security systems on a regular basis
- You must maintain an active cybersecurity policy
Every ecommerce business is required to abide by these standards, but Level 1 PCI compliance takes things even further.
What Is PCI Level 1 Compliance?
PCI Level 1 compliance is the most stringent of four PCI merchant compliance levels. The PCI DSS defines PCI Level 1 compliance as a requirement for every merchant that processes:
- A minimum of 6 million Visa, Mastercard, or Discover transactions per year
- A minimum of 2.5 million American Express transactions per year
- A minimum of 1 million JCB transactions per year
This level of compliance is also required for any business that has suffered a security breach or cyberattack during which cardholder data was compromised
In addition to the standard PCI compliance requirements, PCI Level 1 organisations must submit:
- An Annual Report on Compliance (ROC): This report must be completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). The purpose of the ROC is to confirm to the PCI DSS that your organisation is meeting or exceeding all PCI standards. Though all ecommerce businesses are required to meet the standards, not all businesses are required to undergo these formal audits.
- A quarterly network review: These scans must be conducted by an Approved Scanning Vendor (ASV), an individual or organisation certified by the PCI Security Standards Council to scan websites in search of external vulnerabilities that could be exploited by cyber threats.
- An Attestation of Compliance form: This is a short form that confirms compliance of all 12 security standards noted above. Like the ROC, The AoC form is typically completed by a Qualified Security Assessor (QSA) and submitted to the acquiring bank and the PCI Security Standards Council. It may be submitted in addition to or in place of the ROC.
All audit results must be submitted to the company’s acquiring bank for acceptance and verification.
What is a PCI Level 1 Service Provider?
There are two types of businesses that require PCI compliance: merchants and service providers. Merchants are the businesses that accept credit card payments from retail customers. Service providers are the businesses that actually make it possible to accept payments, including:
- Merchant services providers
- Payment processors
- Payment gateway providers
- Acquiring banks
For service providers, the requirements for Level 1 compliance are a bit different. Level 1 PCI compliance is required for service providers that process more than 300,000 credit card transactions per year. Like Level 1 merchants, Level 1 service providers must submit an annual ROC, quarterly network scan, and Attestation of Compliance form. Penetration testing and internal vulnerability scanning (in addition to the standard external scans) are also required.
Why Every Merchant Should Have a Level 1 Service Provider
When choosing a service provider for your ecommerce business, PCI compliance should be a priority. When tasking a business with the responsibility of securing your customers’ credit card transactions, you want to ensure that they’re held to the highest level of scrutiny and accountability.
A small business is hacked every 19 seconds. When you understand the severity of the threat and what’s at stake, it’s easy to see why you want to ensure the highest level of cybersecurity at all times.