PCI Myth #1 – Busted!

PCI Myth #1: Only big businesses need to worry about PCI

I recently read a misconception about PCI that I wanted to address for you. The misconception is that using an online processor like Stripe or PayPal helps you to avoid having to comply with the PCI data security standard. They implied that the reason was that big companies keep credit card numbers on their own servers and thus have to pay for PCI compliance.
As a PCI expert, I can tell you that the big businesses are never encouraged to keep credit card numbers on their servers.
The only companies that are expected to keep credit card numbers on their servers are the issuing banks.
Further: big businesses (Merchant Level 1) pay for 3rd-party assessment of their network environment, whether they are storing credit card numbers or not.
 
All businesses that accept credit cards are expected to be in compliance with PCI standards, at the very least. You, as a small business owner, may not be aware of this, but you would become aware of it, if your network was breached, and your customer files (with or without credit card numbers) were released to the Internet criminals.  The average breach costs the merchant about $750,000.  Many small or medium companies would vanish without a trace if faced with that kind of out-of-band cost.
 
Here are the PCI Company Levels and securing required:
 
Merchant Level: 1
• Merchant Criteria:
1. Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year.
2. Any merchant that has had a data breach or attack that resulted in an account data compromise.
3. Any merchant identified by any card association as Level 1.
• Validation Requirements:
1. Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company.
2. Quarterly network scan by Approved Scan Vendor (ASV).
3. Attestation of Compliance Form.
 
Merchant Level: 2
• Merchant Criteria:
1 million – 6 million Visa or MasterCard transactions annually (all channels).
• Validation Requirements for VISA and MasterCard:
1. Annual Self-Assessment Questionnaire (“SAQ”).
2. Quarterly network scan by ASV.
3. Attestation of Compliance Form.
 
Merchant Level: 3
• Merchant Criteria:
Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually.
• Validation Requirements for VISA and MasterCard:
1. Annual Self-Assessment Questionnaire (“SAQ”).
2. Quarterly network scan by ASV.
3. Attestation of Compliance Form.
 
Merchant Level: 4
• Merchant Criteria:
Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.
• Validation Requirements for VISA and MasterCard:
1. Annual Self-Assessment Questionnaire (“SAQ”).
2. Quarterly network scan by ASV.
3. Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.
All merchants, even the tiny ones, should be completing a PCI Self-Assessment Questionnaire, and having quarterly scans of their externally-facing domain names, so that they know where they are weak – besides the specific storage of card numbers. This is a good idea even if their acquiring bank (business or personal bank account managing bank) is not requesting a SAQ. The danger they face might be related to customer data leaking to the Internet where criminalls can leverage it to make money.  
 
Running a PCI self-assessment is one of the cheapest ways one can begin protecting ones customers there is.  
Atlanta Cloud will consult with you when you are performing your Self-assessment.
Message us here, or call at 678-687-6104 to set up a free strategy session.