Compliance in the cloud is highly important for multiple industries. Healthcare organizations must follow the Health Insurance Portability and Accountability Act (HIPAA), while government agencies are bound to Criminal Justice Information Services (CJIS) regulations. But for any company that accepts, processes, stores, or transmits credit card information, Payment Card Industry Data Security Standard (PCI DSS) is required to ensure a secure environment is maintained.
Launched in 2006 (the early days of cloud computing), the PCI Security Standards Council became responsible for managing and improving the ever-evolving security standards surrounding credit cards. Their goal is to make sure cardholder data—name, credit card number, expiration, service code, magnetic stripe data, CAV2, CVC2, CVV2, CID, and PINs remain protected. The council was created by Visa, MasterCard, American Express, Discover, and JCB International; these five credit card brands are ultimately responsible for enforcing compliance, not the PCI council itself.
Levels of PCI Compliance
Not all merchants are created equal, and credit card companies recognize this. So, a system of validation based on a merchant’s transaction volumes over a 12-month period was developed (in instances where a merchant has multiple businesses operating under different names, they must be counted as one, and a total transaction amount determined). Complicating matters, however, is that each of the five credit card brands employs different levels of validation. As just one example, here’s a look at Visa’s levels for merchants per year:
Level 1: Over six million transactions
Level 2: One to six million transactions
Level 3: 20,000 to one million transactions
Level 4: Less than 20,000 transactions
It’s important to note that if a merchant violates compliance, or suffers a data breach, the merchant may be moved into a higher level. So, it’s important for small- and medium-sized merchants to keep their data well-protected to avoid being placed at a higher level ,where they will face more intense scrutiny.
E-Commerce and PCI Compliance
Unsurprisingly, e-commerce is poised to surpass in-store purchases by 2024 (it already has for some holidays). While most merchants currently accept online payments, online transactions remain a source of concern when it comes to compliance. According to Javelin Strategy & Research, card-not-present fraud is nearly four times greater than card-present fraud, with hackers finding vulnerabilities in online shopping carts, and exploiting them to steal information.
Some merchants may think they don’t have to worry about compliance by using a PCI-compliant third-party processor, such as PayPal. However, using PayPal or similar companies does not guarantee that the merchant is compliant; even though the processing company is storing, processing, and transmitting cardholder data, merchants are still responsible for accepting that information; that means their online environment needs to be secure as well. A silver lining for small merchants? Using a PCI-compliant processor does usually limit the scope of compliance requirements.
Merchants Move to the Cloud
While large merchants generally have a handle on the different levels and requirements imposed by major credit card companies—along with compliance experts and a legal team on staff—achieving and maintaining compliance for small- and medium-sized merchants can be confusing and difficult. That’s why many are turning to cloud providers offering PCI DSS compliance. Non-PCI DSS merchants can count on a compliant cloud provider to adhere to regulations, and provide high levels of customer data security.
DSM, Florida’s preferred cloud provider, is PCI DSS compliant, adhering to its strict compliance regulations and offering high levels of security to protect customers’ data. Additionally, we know sales can vary greatly for small- and medium-sized merchants throughout the year, often due to seasonality, which is why we also offer level billing. This ensures your monthly payment remains the same, even if your capacity increases. Want to learn more? You can view the current PCI DSS documents on the PCI Security Standards Council website, or contact one of the experts at DSM.