05 April 2010

3 Basic Factors that Determine PCI Compliance Levels

Merchants accepting payment cards are classified into four levels for Visa and MasterCard, three levels for American Express, two levels for JCB International, and none for Discover.  The basic determinants that identify your PCI compliance level include your payment card brand, annual volume of payment card transactions, and payment channels used.

Even though there are some providers that offer a no PCI fee merchant account, most merchant account providers charge you with PCI compliance fee, depending on your compliance level.  This is because every merchant who accepts electronic payment card forms like credit and debit cards are subject to PCI DSS compliance to make sure that safety measures are included in their payment card processing to protect confidential information.   Here are the basic factors by which corresponding PCI compliance levels are determined:

Payment card brand

Even if it is PCI that developed these security measures, it is the payment card brand that dictates the levels by which merchants belong.  This is why you may notice that different number of levels apply to different card brands.  Visa and MasterCard have four levels, American Express has three levels, JCB International has two levels, while Discover has none.  Discover is taking a different approach to PCI DSS compliance.

Annual volume of payment card transactions

It is fundamentally your annual volume of credit and debit card transactions that determine the PCI compliance level by which your store may belong.  The higher your card processing volume, the greater your security risk.  It is therefore logical to implement more strict requirements to ensure safety of your customer's information, as well as yours.

  • Visa.  For Visa,  level one would cover those merchants with over six million Visa payment card transactions annually; level two would cover those having between one to six million card transactions annually; level three for those merchants with twenty thousand to one million yearly transactions;  and level four for those with Visa volume transaction of less than twenty thousand annually.
  • MasterCard.  All the four levels of MasterCard compliance levels are determined by the same volume of transactions applied by Visa.  The difference is that, level one for MasterCard would include all merchants who are included in level one category for other card brands.  Let's say for example, your store has five million MasterCard transactions annually and seven million Visa transactions.  It will fall under level one for Visa.  Even if your store does not qualify for the volume categorized in level one for MasterCard, it would still be considered level one for MasterCard, since it belongs to level one for Visa.  Furthermore, if you have experienced being hacked, you will also fall under level one regardless of your MasterCard transaction volume.
  • American Express.  AMEX has three PCI compliance levels.  Level one would be those merchants having more than 2.5 million AMEX transactions annually; level two would those with annual transactions between fifty thousand to 2.5 million; and level three for those with less than fifty thousand.
  • JCB International.  Level one for JCB includes those merchants with over one million JCB transactions annually and level two for those with less than one million annual JCB transactions.
  • Discover.  Discover has no PCI compliance levels, but is said to be taking a risk-based approach to comply with PCI DSS.

Payment channels used

In determining your PCI compliance level, card brands cover all your credit and debit card transactions, regardless of the payment channel used by your customers.  All payment instruments are being considered, such as over the counter, the Internet, and the phone.

The technology today makes it very easy for hackers to steal information as well as money from you and your customers.  Because of this, PCI is making an effort to protect everyone involved in the payment card process from this threat through its security standards and requirements.  The Payment Card Industry Data Security Security Standard (PCI DSS) aims to continuously monitor security measures in your system and make electronic processing in your store safer for you and your customers.

No comments:

Post a Comment