More on PCI and Tiers 1, 2 and 3

The Payment Card Industry (PCI) compliance regulation affects almost all merchants that accept credit and debit card payments, with the goal of securing cardholders against vulnerabilities to card data theft, misuse or loss. The driving forces behind PCI compliance policies are the major credit card payment processors -- Visa, MasterCard, American Express, Discover Card and JCB International -- which formed the PCI Security Standards Council to define how retailers should protect transactional data and monitor their data security performance.

Each PCI Council member has defined categories of merchants based on the number of transactions submitted per year, along with PCI audit and reporting requirements pertaining to each category. The precise definition of each category varies between the credit card companies, but we will use Visa's categories to illustrate the scale (MasterCard and American Express generally have lower thresholds for each category):

• Tier 1: The highest volume merchants, which submit 6 million or more transactions per year.
• Tier 2: Merchants that submit 1-6 million transactions per year.
• Tier 3: Merchants that submit 20,000 to 1 million e-commerce transactions per year.
• Level 4: Merchants submitting less than 20,000 e-commerce transactions per year, and all other merchants up to 1 million transactions per year
  

Rightfully, merchants submitting higher volumes of transactions face the most stringent PCI compliance standards and penalties, due to the risks associated with the quantity of data they possess.   However, Visa reports that cardholder data is compromised more frequently among Level 4 merchants than by Tier 1, 2 and 3 combined -- small wonder, because 99% of the merchants that accept Visa cards are Level 4 merchants. 

When we talk about PCI compliance, organizations are often misled by five common myths about becoming compliant with the Data Security Standard (DSS) as outlined by the Payment Card Industry (PCI). Here, we break some of these common myths related to the PCI DSS.

Myth 1: Varying degrees of compliance are required.

The most common misconception is that there are varying degrees of compliance required, depending upon a merchant’s particular level which is determined by their annual number of transactions. The reality is quite the opposite. All merchants, regardless of whether they are a Level 4 with less than 20,000 transactions per year, or a Level 1 merchant with over 6 Million transactions per year, are all ultimately required to be compliant with the PCI Data Security Standard, (PCI DSS) as established by the PCI Security Standards Council. However, it is true that the timing of when compliance is required can vary depending upon a particular merchant level. Regardless of the actual deadline for a merchant, the PCI DSS outlines a comprehensive set of requirements that are focused on the following areas:

• Build and maintain a secure network.
• Protect cardholder data.
• Maintain a Vulnerability Management Program.
• Implement strong access control measures.
• Regularly monitor and test networks.
• Maintain an Information Security Policy.

Read more about PCI Data Security Standard on the PCI Security Standards Council’s website.

Myth 2: Only Level 1 Merchants are targeted for attacks or security breaches.

According to Visa, “Large (Level 1) merchants and processor breaches account for the majority of compromised accounts, yet small (Level 4) merchants account for over 85 percent of compromise events.”

Myth 3: PCI Compliance is something that only the IT Department needs to worry about.

Requirement 12 states that an Information Security Policy must be maintained, which can impact every level and function within an organization.

Myth 4: All PCI Data needs to be retained.

Not all PCI data may need to be retained. All too often, access to sensitive credit card data is restricted within an organization, but the retention of that data is not well-defined based upon a true business need. Organizations routinely do restrict access, but still allow a few individuals complete access to all unencrypted PCI data, which opens a wide door for a security breach or potential for data theft.

Myth 5: Executives may view PCI Compliance as done after an annual audit or after the completion of the annual self-assessment questionnaire.

Adherence to the PCI DSS needs to be embraced as part of the ongoing monitoring processes within an organization. Organizations that acknowledge the fact that security must be incorporated into every process recognize that it’s much more than an annual exercise.

Related articles by Zemanta

• PCI's QSA's/ASV's Must Participate in Quality Assurance Program
• Credit Card Processors to Ban WEP in 2010