In conversations with small or emerging businesses we consistently hear a misconception about their requirements under the Payment Card Industry Data Security Standard.
“We are a Level 4 merchant and so we don’t need to be compliant.”
Simply not true. If you are a Level 4 merchant, like any merchant collecting, processing or storing protected payment card data you need to be secure. And from the perspective of the payment card folks complying with PCI DSS is the only way to do it.
What is a Level 4 firm?
A level 4 firm, defined by the PCI Data Security Standard is:
- Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and
- All other merchants processing up to 1,000,000 Visa transactions annually regardless of the acceptance channel.
Level 4 firms and showing compliance
Showing compliance requires completing a self assessment and certified quarterly scan and submitting those documents to your bank processor is voluntary for a Level 4 firm.
Operating in a compliant manner
But being compliant or actually meeting the requirements set forth in the Payment Card Industry DSS is not optional. In fact, not being compliant can have some heavy repercussions including the removal of safe harbor provisions in the event of a breach.
Now what?
If you are a Level 4 and you are unsure of how your security program matches up to the PCI DSS download the self assessment form and work through it. Then use the items you find are being missed as a project pick list to improve your information security program.
Doug Davidson, CISA
Comments