top of page

Powehi to PCI – from one black hole to another

See the light and outsource PCI compliance to a level 1 service provider

With the first-pictured black hole comes the name Powehi meaning the ‘adorned fathomless dark creation’. It’s a name you might argue should have been given to PCI-DSS regulations – something closer to home. After all, understanding the complex chasm of PCI’s 12 regulations, which then subdivide into a staggering 200 plus individual requirements, can be a bit like venturing into a black hole, never to see the light of day again.

But it’s getting darker – Level 1, 2, 3 or 4? Which one is right for you?

In brief, if you process more than 6 million card transactions annually, you’ll have to show Level 1 compliance. This is the most onerous of all levels since in addition to the requirements set for every other level [a quarterly network scan by an Approved Scan Vendor (ASV), a Penetration Test, an Internal Penetration Test and an annual Attestation of Compliance form (AoC)] you’ll also have to produce an Annual Report on Compliance (ARC) compiled by an Approved Security Assessor (ASA). At Levels 2-4, however, the Annual Report on Compliance (ARC) is replaced with an Annual Self-Assessment Questionnaire (SAQ).

You might, therefore, choose to aim for anything but level 1. Buoyed on by the attraction of an SAQ along with transaction levels that fall below Level 1 parameters, surely it makes sense to aim for levels 2-4. You might even take the plunge and start down the DIY route. Nevertheless, outsourcing compliance to a service provider other than a Level 1 approved company, venturing down the DIY route or even doing a combination of both could prove a false economy.

Settling for a lower level is potentially a false economy and less secure


Securing just a single server yourself, for example, say at level 3-4, will take around 3-4 weeks. This is made on the assumption that you have expert employees who are proficient in dealing with data security matters. Your direct costs will include ongoing compliance and indirect costs will be incurred through disruption to your business processes. Even with outside help it’s likely to take up to 4 days and cost in excess of £10,000, and that’s just to secure one server and prep the necessary documentation.

If you capture and retain cardholder information, costs could escalate to £37 -£50,000, with no guarantee that you won’t have to upgrade your existing legacy systems and software.


An SAQ at Level 2-4 still comprises 5-6 pages of complex questions, all of which must be answered with extreme care. It’s still an onerous task for anyone completing an SAQ, especially when there’s no one to check the homework. Inevitably this leads to the question as to whether those answers, by default or design, have been dealt with accurately and thoroughly enough. Unfortunately, less than thorough answers, intentional or otherwise, can lead to data breaches, fines and other penalties such as increased processing fees. Ironically, your card issuer could also compel you to upgrade to Level 1 status.

After a particularly profitable period, you might also breach a transaction threshold and instantly lose compliancy. Being compliant at Level 1 from the outset, however, obviates the need to continually monitor transaction levels, and avoids the expense of having to upgrade to the next level once a threshold is breached.

In short, many businesses simply don’t have the internal structures or resources to implement and then effectively monitor compliance.

The solution: outsource PCI compliance to a Level 1 service provider

True “Compliance as a Service”

BCH incurs all the costs of acquiring and maintaining Level 1 compliance, paying for its systems and engineers and all the technical know-how required to offer state of the art PCI compliant phone services – our customers only have to pay for those services they use, when they use them. In short, there are no onerous upfront costs to bear.

A fully hosted solution means that all sensitive card data is kept separate from your e-commerce environment. BCH’s Attestation of Compliance is accepted by the PCI Council as your company’s adherence to the highest and strictest level of PCI-DSS.

You’ll find us on Visa Europe’s list of approved Level 1 service providers.


At Level 1, BCH is audited annually against the latest as well as on-going changes in PCI-DSS regulations. Anyone offering level 2-4 compliance is not subject to such an onerous level of scrutiny. We’re continually having our homework checked!

Every process, every change, every access inside Level 1 is logged continuously, in file and in memory, and all connections, even internally, are secure and encrypted using strong cryptographic algorithms. The IVR systems and their associated Level 1 support servers are never exposed to the external broader Internet in any way. All functionality is contained by connections through numerous firewalls to protect and safeguard our platform.

Achieving this level of security and functionality would have been impossible on any existing system. Our expert team of engineers have actually built BCH’s PCI system from the ground up.

When our clients configure a service via the Internet, various firewalls act to partition the BCH platform from any direct connection. Everything is secure, nothing is copied or shared. If the card data environment was to be compromised via the Internet, it would require hacking numerous firewalls. This is all but impossible.

It is this partitioning and the expert nature of the network engineering required to build a highly secure network that, as much as anything else, makes obtaining PCI-DSS Level 1 so very difficult and maintaining it so hard. In short, it’s easier to leave compliance to us.

Call us today on 0161 537 7707 or email us at

Post: Blog2_Post
bottom of page