Payment Card Industry Data Security Standard (PCI DSS)
Merchant & Service Provider Levels and Validation Requirements
Merchant PCI levels are dependent on the number of transactions that take place annually. The levels are defined as follows:
- Level 1 - More than 6 million transactions per year or merchants whose data has been compromised
- Level 2 - 1 million to 6 million transactions per year
- Level 3 - 20,000 to 1 million transactions per year
- Level 4 - Less than 20,000 transactions per year
Service providers are organizations that process, store, or transmit cardholder data on behalf of the credit card company members, merchants, or other service providers. Service provider levels are defined as:
- Level 1 - All processors and payment gateways
- Level 2 - Any Service Provider not in Level 1 and stores, processes or transmits more than 1 million accounts or transactions annually
- Level 3 - Any Service Provider not in Level 1 and stores, processes or transmits less than 1 million accounts or transactions annually
To validate compliance with the PCI DSS, all merchants, regardless of credit card transaction volume, must have their Internet facing systems scanned quarterly by an approved scanning vendor. In addition, all merchants with the exception of level 1 are required to submit an annual self-assessment questionnaire. Level 1 merchants and Level 1 and 2 service providers are required to have an annual onsite security audit by a qualified security assessor. Rapid7 has partnered with Coalfire Systems to provide level 1 merchants a complete solution.
The payment card industry is beginning to enforce PCI compliance. Non-compliance can result in fines, restrictions or possibly permanent expulsion from card acceptance programs. If your business depends on accepting credit cards, then you have no choice than to become PCI compliant. Rapid7 makes it easy by providing the necessary components in one easy to use web based service.