top of page

PCI compliance from level 1 to level 4




PCI compliance is complex. Comprising of 12 regulations, and then subdivided into 200 plus individual requirements; looking at this for your business can seem a minefield.

 

Level 1, 2, 3 or 4?


In brief, if you process more than 6 million card transactions annually, you’ll have to show Level 1 compliance.

 

This can be the most onerous of all levels. In addition to the requirements set for every other level [a quarterly network scan by an Approved Scan Vendor (ASV), a Penetration Test, an Internal Penetration Test and an annual Attestation of Compliance form (AoC)] you’ll also have to produce an Annual Report on Compliance (ARC) compiled by an Approved Security Assessor (ASA).

 

However, at Levels 2-4, the Annual Report on Compliance (ARC) is replaced with an Annual Self-Assessment Questionnaire (SAQ).

 

You might, therefore, aim for anything but level 1, and think it makes sense to aim for levels 2-4; you might even take the plunge and start the DIY route.

 

However, outsourcing compliance to a service provider other than a Level 1 approved company, venturing down the DIY route or even doing a combination of both could prove a false economy.

 

Settling for a lower level is potentially a false economy and less secure


Securing a single server yourself, for example, say at level 3-4, will take around 3-4 weeks.

 

This is made assuming you have employees proficient in dealing with data security matters. Your direct costs will include ongoing compliance, and indirect costs will be incurred through disruption to your business processes. Even with outside help it’s likely to take up to 4 days and cost more than £10,000, and that’s just to secure one server and prep the necessary documentation.

 

If you capture and retain cardholder information, costs could escalate to £37,000 -£50,000, with no guarantee that you won’t have to upgrade your existing legacy systems and software.

 

Security


An SAQ at Level 2-4 still comprises 5-6 pages of complex questions, all of which must be answered with extreme care. It’s an onerous task for anyone completing an SAQ.

 

This leads to the question as to whether those answers have been dealt with accurately and thoroughly enough. Unfortunately, less than thorough answers can lead to data breaches, fines and other penalties such as increased processing fees. Ironically, your card issuer could also compel you to upgrade to Level 1 status.

 

After a particularly profitable period, you might also breach a transaction threshold and instantly lose compliancy.

 

Being compliant at Level 1 from the outset, however, obviates the need to continually monitor transaction levels, and avoids the expense of having to upgrade to the next level once a threshold is breached.

 

The solution: outsource PCI compliance to a Level 1 service provider


BCH incurs all the costs of acquiring and maintaining Level 1 compliance, paying for its systems and engineers and all the technical know-how required to offer state of the art PCI compliant phone services – our customers only pay for those services they use, when they use them.

 

A fully hosted solution means that all sensitive card data is kept separate from your e-commerce environment. BCH’s Attestation of Compliance is accepted by the PCI Council as your company’s adherence to the highest and strictest level of PCI-DSS. You’ll find us on Visa Europe’s list of approved Level 1 service providers.

 

BCH and PCI-DSS


At Level 1, BCH is audited annually against the latest and ongoing changes in PCI-DSS regulations. Anyone offering level 2-4 compliance is not subject to such an onerous level of scrutiny. We’re continually having our homework checked!

 

Every process, every change, every access inside Level 1 is logged continuously, in file and in memory, and all connections, even internally, are secure and encrypted using strong cryptographic algorithms. The IVR systems and their associated Level 1 support servers are never exposed to the external broader Internet in any way. All functionality is contained by connections through numerous firewalls to protect and safeguard our platform.

 

Achieving this level of security and functionality would have been impossible on any existing system. Our expert team of engineers have actually built BCH’s PCI system from the ground up.

 

When our clients configure a service via the Internet, various firewalls act to partition the BCH platform from any direct connection. Everything is secure, nothing is copied or shared. If the card data environment was to be compromised via the Internet, it would require hacking numerous firewalls. This is all but impossible.

 

It is this partitioning and the expert nature of the network engineering required to build a highly secure network that, as much as anything else, makes obtaining PCI-DSS Level 1 so very difficult and maintaining it so hard. In short, it’s easier to leave compliance to us.

 

Call us today on 0161 537 7707 or email us at sales@bchdigital.com.


Comments


Post: Blog2_Post
bottom of page