Pin Me

PCI Compliance: Merchant Levels and it's importance:

written by: Andy Malburg•edited by: Bill Bunter•updated: 1/28/2011

Have you ever wondered, as a small business owner what level merchant you are in as it pertains to PCI compliance? Have you ever thought of what could happen if you were not PCI compliant?

  • slide 1 of 1

    PCI Compliance: Merchant Levels and it's importance:

    In this next article, I will discuss the importance of PCI compliance and how it can affect your small business if you do not take the necessary precautions to secure your data. Before we talk about the importance of it, you should have a general understanding of the different “merchant levels” that there are and the validation requirements that go along with that. I will list each one of them below:

    Merchant Levels:

    Level 1: Visa/MasterCard transactions totaling 6 million or more per year. This level also includes anyone who has been caught with a data security breach.

    Level 2: Transaction levels between 1 million and 6 million.

    Level 3: E-commerce transaction levels between 20k and 1 million.

    Level 4: E-commerce transaction levels up to 20k. This includes all merchants processing 1 million transactions per year, regardless of what channel they are in.

    Validation Requirements:

    Level 1: Annual onsite review by an internal auditor or a Qualified Security Assessor. Also a quarterly network security scan is required with an approved scanning vendor.

    Level 2, 3 and 4: Quarterly network scan and yearly self assessment questionnaire.

    Importance:

    In my opinion, if you do not become PCI compliant, you leave yourself open to many different attacks and threats that are prevalent in our society. For instance, if you do not implement a firewall on your network, you leave yourself open to Denial of Service attacks, breaching of data through IP addresses, etc. Another big one for me is the fact that you are not to use default username and passwords on your equipment. If you are using Cisco networking equipment in your network, most network engineers know that the default username and password on these devices is cisco, cisco. This knowledge is also very attainable on the internet. If you do not change these passwords, you leave yourself very susceptible to malicious activity being done on your network and also become non-PCI compliant.

    If you do not take the necessary steps to become PCI compliant, you are taking an enormous risk to your personal well-being, financial well-being, business well-being, etc.The reason the Payment Card Industry created this standard was to protect not only the consumer but the business sector as well. By doing an exhaustive research on PCI compliance along with your own internal practices and procedures, you can go a long way to protecting the long-term value of your business.

    In the next article, we will examine PCI compliance from a Wireless LAN perspective. We know that Wireless is very popular and extremely user friendly but you must know that major security breaches can be caused by using Wireless technology.