PCI DSS Level 4 Merchant Compliance

As PCI DSS continues to be enforced as the standard for credit card data security, the emphasis of compliance mandates have focused, primarily, on Level 1, Level 2 and Level 3 merchants.

On paper, this is the best and most obvious move, in order to protect the credit card data of the maximum number of cards and cardholders, and in order to emphasize-first-those merchants clearing the largest volume of transactions per year.

But Level 4 merchants are now getting much more attention, as many of those merchants are now using integrated POS terminals connected to high speed Internet connections, instead of the usual stand alone, dial-up POS terminals, which cannot be accessed from the Internet.

This disparity, along with the fact that Level 4 run the gamut between small mom-and-pop merchants, with one dial-up POS terminal, to huge brick-and-mortar operations with high speed lines, leaves some of these merchants wide open for hackers.

According to Visa, Level 4 merchants handle fewer transactions than Levels 1,2 and 3, but they account for more than 99 percent of the merchants that accept Visa. This is an ultimate playground for hackers.

"Usually, Level 4 merchants do not have the technical expertise, nor the IT Staff, to properly secure card holder data," said Joan Herbig, CEO of ControlScan.

"For all data breaches, you have two main risks: The internal risk-an employee obtaining a file that they shouldn't have, and an external risk-a hacker," she explained.

"A hacker is going to look for the path of least resistance," she continued. "Level 1 and 2 merchants can afford to button up their IT infrastructure, because they have the money to do so; they can afford to staff a huge IT department, and they don't want to be a headline in the news."

"So, if I am a hacker, I'm going to go to the merchant that I know cannot afford the proper security or staff to mitigate that type of breach," she finished.

Herbig said that, even with the July deadline, Level 4 merchants and acquirers are becoming PCI compliant at a "trickle."

Though Level 4 merchants are not required by the PCI SSC, or by card issuers such as Visa and MasterCard, to submit to an onsite security assessment, it's up to the acquirer to make sure that its Level 4 merchants understand the need for being PCI compliant.

In order to spur this suggestion along, Visa, U.S.A., added a new, Level 4 Merchant Compliance Program in order to address data security issues for Level 4 merchants.

The new program, released in May 2007, requires acquirers to develop and submit a formal written compliance plan to Visa, which "identifies, prioritizes and manages overall risk within their Level 4 merchant populations," according to the CISP Bulletin.

Many acquirers have already developed, written and sent a summary of their plans to make their Level 4 merchants compliant, under Visa's PCI Compliance Acceleration Program (PCI CAP). (See Visa PCI CAP Program).

But for those acquirers who have not written and/or sent a summary of their plan, one must be emailed to Visa no later than July 31, 2007. Email summaries to cisp@visa.com. .

The Level 4 Merchant Compliance Program plan must consist of the following items:

• Timeline of Critical Events--Timeline of completion dates and milestones, for overall strategy.
• Risk-Profiling Strategy--Prioritization of Level 4 merchants into subgroups, from merchants that post the greatest risk, to those that post little risk at all. Factors such as merchant category transaction volume, market segment, acceptance channel, number of locations can help the acquirer target compliance efforts for each subgroup.
• Merchant Education Strategy--Strategy designed to eliminate prohibited data from being stored; protect stored data, and securing the environment in accordance with PCI DSS. This includes ensuring that merchants are only storing data they truly require, by complying with PCI DSSs, and by making sure payment applications are compliant and any third-party agents are on Visa's list of CISP-Compliant Service Providers.
• Compliance Reporting--Monthly compliance reporting to executive or board management. Visa may also periodically request that the acquirer produce these reports.

                    

Print this page

Send this page to a friend

PCI DSS: 5 Guidelines for Gaining PCI Compliance Step 1: An Introduction to PCI Compliance PCI Compliance Introduction Who Put the DSS in PCI? Step 2: Finding The PCI DSS Merchant, Service and Compliance Level Should Your Organization be Concerned about PCI Compliance? PCI DSS: The Visa CISP Program MasterCard SDA Program Defining Merchant Validation Levels Level 4 Merchant Compliance Visa PCI CAP Program Defining Service Provider Validation Levels Acquirer Responsibility Calculating Merchant Transactions PCI DSS: Visa and MasterCard Quick Reference Guide Step 3: Attaining PCI DSS Compliance-Merchant Security Audits: 12 Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV) Do You Need an ASV? Merchant and Service Provider Scanning Requirements Compliance Reporting Visa and Compliance Reporting MasterCard and Compliance Reporting Step 5: Completing the PCI DSS Self Questionnaire Completing the PCI DSS Self Questionnaire PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: