Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PCI Level For Storing Credit Cards

Tags:

pci-dss

I was just wondering what would be the PCI certification level if you were storing encrypted credit-card numbers for recurring billing.

I plan to have less than 20,000 transactions annually, however, with the storing credit card numbers I am not sure.

like image 753
John Godspeed Avatar asked Apr 26 '11 04:04

John Godspeed

People also ask

What level of PCI compliance do I need?

Level 1: Merchants that process over 6 million card transactions annually. Level 2: Merchants that process 1 to 6 million transactions annually. Level 3: Merchants that process 20,000 to 1 million transactions annually. Level 4: Merchants that process fewer than 20,000 transactions annually.

What is Level 3 PCI compliance?

Your organization qualifies as a PCI Level 3 merchant if it meets any of the following criteria: Processes 20,000 to 1 million Visa e-commerce transactions per year. Processes 20,000 Mastercard e-commerce transactions per year, but less than or equal to 1 million total Mastercard transactions per year.

What is PCI Level 1 compliance?

To put it simply, the PCI DSS Level 1 is a set of requirements to ensure that companies that store, transmit or process credit card data to the highest standards. PCI DSS Level 1 is the highest level of compliance. This describes any merchant, processing over 6 million Visa transactions per year.

1 Answers

If you really (really) need to store card numbers, then you fall into the strictest level of PCI compliance. That requires annual on-site audits, quarterly network scans, and (as you may already be aware) will be very costly. This is regardless of number of transactions. (The old first drafts of PCI gave different levels depending on quantity of cards processed. That is no longer the case)

If you can use a 3rd party to store/process the recurring billing then you drop into a lower level which requires only that you complete a Self Assessment Questionnaire (SAQ) annually. Most payment service providers will be able to help with recurring billing if you discuss your requirements with them. Recurring billing (as you know) has extra complications in that cards can expire/be discontinued/replaced mid cycle

If you're at all in doubt, then now would be the best time to start speaking to QSA's (Qualified Security Assessor). If you discuss your situation over the phone they will be able to advise exactly where you stand. Ultimately, unless you go with a 3rd party Payment Service Provider you will need a QSA to assist with bringing your organisation into PCI compliance.

like image 170
PaulG Avatar answered Oct 12 '22 08:10

PaulG
Sign in to Comment

Related questions

PCI DSS and release deployment automation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!