The Payment Card Industry Data Security Standard (PCI DSS) is a written standard that produces major card brands and is maintained by the Payment Card Industry Security Standards Council (PCI SSC).
For every e-commerce merchant who accepts credit or debit card payments on their website, PCI DSS compliance is mandatory. All information entered by customers is sensitive data, so it must be well-protected.
“While PCI is not a DSS compliance law, that doesn’t mean it’s not a big deal to go beyond compliance,” said Square, a mobile payment vendor. “In fact, the 2015 Verizon data breach report found that nearly 1,000,000 data breaches have occurred this year [2012] so it’s more important than ever to keep your payment processing life cycle secure.”
And importantly, PCI DSS consent is also required for sites that outsource their card processing to third parties (such as PayPal, Stripe, Square, etc.). Not only can e-commerce websites touch cards in the online process, but there are also many other ways that merchants can be deceitful. Let’s take a look at a few things here.
PCI DSS compliance applies to any organization, regardless of size or quantity, regardless of any merchant receipt, transmission or store data, all merchants will drop to one of four merchant levels within 12 months based on the number of visa transactions. The amount of transactions is based on the total number of visa transactions (including credit, debit and prepaid) from Merchant Doing Business (‘DBA’). In both cases the merchant corporation has multiple DBAs, the total amount of transactions stored, processed or transmitted by the corporate entity should be considered to determine the level of validity of the visa holders. If the data is not aggregated, such as corporate entities do not store, process, or transmit cardholder data on behalf of multiple DBAs, recipients will continue to consider the number of individual DBA transactions to determine the level of validity.
Consent level
Merchant levels as determined by the visa
Level 1. Any merchant – regardless of acceptance channel – processes 6M visa transactions every year. Any merchant visa determines at its own discretion that the requirements of the Level 1 merchant must be met in order to minimize the risks of the visa system.
Level 2. Any merchant – regardless of the acceptance channel – is processing 1M to 6M Visa transactions every year.
Level 3. Any merchant processes 20,000 to 1M Visa e-commerce transactions per year.
Level 4. Any merchant processes 20,000 visa e-commerce transactions per year and regardless of the accepted acceptance channel – other merchants process visa transactions up to 1M per year.
It is estimated that more than 76% of all global e-commerce merchants who fall into Level 4 reporting do not meet their mandatory requirements. It seems to be more of a lack of knowledge than a problem that can be avoided.