United States

Merchant levels and PCI DSS compliance

ECLUB NEWS  | 

Questions continue to arise about whether clubs must comply with the Payment Card Industry Data Security Standards (PCI DSS). The short answer is that if your club stores, processes and transmits cardholder data, the chances are high that you must comply with the PCI DSS.

In general terms, entities that typically need to comply are service providers and merchants (compliance mandated by merchant banks). Additionally, each payment card brand has its own set of validation and reporting requirements. Financial institutions are currently in a grey area, but this is expected to change in the next couple of years.

As new data breaches are reported daily and stealing credit card numbers continues to prosper as an industry of its own, albeit an illicit one, clubs should pay heed to importance of protecting members' information so that they do not risk losing their confidence or finding themselves caught in a news headline.

If those reasons for compliance are not motivation enough, consider the appeal of obtaining "Safe Harbor" status. This status provides organizations protection from fines and compliance exposure in the event of a compromise. To be eligible for it, organizations must be in full compliance with the PCI DSS at the time of the breach (as demonstrated during a forensic examination). Note that organizations much have validated their full compliance prior to the compromise. If an organization is proven to be noncompliant or their merchants or agents are noncompliant, it may be assessed a noncompliance fine (egregious violations up to $500K), forensic investigation costs, issuer or acquirer losses, unlimited liability for fraudulent transactions, potential additional issuer compensation (e.g., card replacement) and dispute resolution costs.

Having stated the reasons for compliance, it can be noted that there are different merchant levels that impact the need to comply with these standards and ultimately a club's liability. What follows is a breakdown of these levels with corresponding definitions.

Merchant level 1
Any merchant processing over 6M transactions per year, compromised in the last year or identified by another payment card brand as Level 1.

Merchant level 2
Any merchant processing between 1M to 6M transactions or 150K MasterCard eCommerce transactions per year.

Merchant level 3
Any merchant processing 20K to 1M transactions or over 20K MasterCard eCommerce transactions per year.

Merchant level 4
Any merchant processing less than 20K eCommerce transactions per year and all other merchants processing up to 1M transactions per year.

Similarly, service providers can be categorized into two levels.

Service provider level 1
Any service provider processing or storing over 300,000 transactions or account numbers per year or compromised in the last year.

Service provider level 2
Any service provider processing or storing less than 300,000 transactions or account numbers transactions per year.

The requirements for each merchant and service provider follow below.

Merchant Level Validation actions Scope Validated by
1
  • Annual on-site security audit
  • AND

  • Quarterly network scan
  • Authorization and settlement systems
  • Internet-facing perimeter systems
  • Qualified Security Assessor (QSA) or internal auditor if trained by PCI
  • Approved Scanning Vendor (ASV)
2&3
  • Annual self-assessment questionnaire
  • AND

  • Quarterly network scan
  • Any system storing, processing or transmitting PCI cardholder data
  • Internet-facing perimeter systems
  • Merchant (self-assessment)
  • Approved Scanning Vendor (ASV)
4
  • Annual self-assessment questionnaire recommended
  • Network scan recommended
  • Any system storing, processing or transmitting PCI cardholder data
  • Internet-facing perimeter systems
  • Merchant (self-assessment)
  • Approved Scanning Vendor (ASV)

Service Level Validation actions Scope Validated by
1
  • Annual on-site security audit
  • AND

  • Quarterly network scan
  • Any systems storing, processing or transmitting PCI cardholder data
  • Internet-facing perimeter systems
  • Qualified Security Assessor (QSA) or internal auditor if trained by PCI.
  • Approved Scan Vendor (ASV)
2
  • Annual self-assessment questionnaire
  • Network scan recommended
  • Any system storing, processing or transmitting PCI cardholder data
  • Internet-facing perimeter systems
  • service provider (self-assessment)
  • Approved Scanning Vendor (ASV)

Problems can arise due to several factors, including: inappropriate scope, insufficient documentation, application issues (particularly legacy applications), unnecessary or inappropriate data storage, compensating controls (that do not compensate), bad timing and a club’s incident response plan. All of these potential issues can be minimized through proper planning and conscientious identification of your club’s compliance requirements. If that effort should ever feel unwieldy, remember that the motivation is both financial risk and ultimately the trust of your members.