I was just wondering what would be the PCI certification level if you were storing encrypted credit-card numbers for recurring billing.
I plan to have less than 20,000 transactions annually, however, with the storing credit card numbers I am not sure.
Level 1: Merchants that process over 6 million card transactions annually. Level 2: Merchants that process 1 to 6 million transactions annually. Level 3: Merchants that process 20,000 to 1 million transactions annually. Level 4: Merchants that process fewer than 20,000 transactions annually.
Your organization qualifies as a PCI Level 3 merchant if it meets any of the following criteria: Processes 20,000 to 1 million Visa e-commerce transactions per year. Processes 20,000 Mastercard e-commerce transactions per year, but less than or equal to 1 million total Mastercard transactions per year.
To put it simply, the PCI DSS Level 1 is a set of requirements to ensure that companies that store, transmit or process credit card data to the highest standards. PCI DSS Level 1 is the highest level of compliance. This describes any merchant, processing over 6 million Visa transactions per year.
If you really (really) need to store card numbers, then you fall into the strictest level of PCI compliance. That requires annual on-site audits, quarterly network scans, and (as you may already be aware) will be very costly. This is regardless of number of transactions. (The old first drafts of PCI gave different levels depending on quantity of cards processed. That is no longer the case)
If you can use a 3rd party to store/process the recurring billing then you drop into a lower level which requires only that you complete a Self Assessment Questionnaire (SAQ) annually. Most payment service providers will be able to help with recurring billing if you discuss your requirements with them. Recurring billing (as you know) has extra complications in that cards can expire/be discontinued/replaced mid cycle
If you're at all in doubt, then now would be the best time to start speaking to QSA's (Qualified Security Assessor). If you discuss your situation over the phone they will be able to advise exactly where you stand. Ultimately, unless you go with a 3rd party Payment Service Provider you will need a QSA to assist with bringing your organisation into PCI compliance.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With