How do Merchant Levels Determine PCI Compliance?

Learn more about merchant levels and how they affect PCI requirements. 

Did you know that merchants have different PCI requirements depending on their level? Did you know there are different levels of merchants? The number and type of requirements will vary based on the number of transactions processed annually, which determines your merchant level.
Here’s a quick look at the different merchant levels and what they mean for PCI requirements.

What’s a merchant? 

merchant levelsFor the sake of clarity, we’ll start off by defining a merchant. In terms of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Basically, if your business takes these types of cards as payment, you’re defined as a merchant.

Keep in mind that a merchant that accepts cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants.

Merchants have 4 levels, depending on how many transactions they do annually. Here’s what the PCI DSS  requires from each level. (Note that the number of transactions are based off of Visa’s parameters.)

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Level 1 Merchant

Merchants that process more than 6,000,000 transactions annually. These are the enterprise organizations that deal with a high volume of card data and processing.

Key PCI Requirements: 

Level 2 Merchant

Merchants that process about 1,000,000 to 6,000,000 transactions annually. These are businesses that still process a lot of card data, but not as much as Level 1 merchants.

Key PCI Requirements:

  • Annual Self-Assessment Questionnaire (SAQ) if organization has a certified Internal Security Assessor (ISA) on staff 

  • Onsite Assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) 
  • Quarterly network scan by ASV 

  • Attestation of Compliance Form 

  • Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan) 

merchant PCI requirements Level 3 and Level 4 Merchants

Level 3 merchants process 20,000 to 1,000,000 transactions annually. Level 4 merchants process less than 20,000 transactions annually. These are your smaller businesses that may only have a few POS machines, or don’t handle a lot of card data.

Key PCI Requirements:
  • Annual SAQ 

  • Quarterly network scan by ASV 

  • Attestation of Compliance Form 

  • Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan) 

Tips to get PCI compliant 

If you’re a merchant, make sure you know what level you are since each level may have some different requirements from PCI. As you can see, Level 3 and 4 merchants have fewer requirements than level 1 and 2 merchants.

Here a few tips to help you get PCI compliant:
  • Talk with a PCI professional: PCI compliance can get a little complex. Talk to a Qualified Security Assessor (QSA) to see what elements of the PCI DSS your business needs to focus on. 
  • Understand your PCI scope: track where your card moves in and out of your network. This will help you determine which areas of your business environment need to be secured.  
  • Document everything: Having proper documentation with your policies and procedures will help you give proof of PCI compliance and help you stay organized in security. 

Want more information about your own PCI requirements? Read the 2016 SecurityMetrics Guide to PCI DSS Compliance!

Patching the Shoplift Bug: What You Should Be Doing

If you haven’t patched this vulnerability, you should.  

SecurityMetrics, Chase Palmer, CISSP
By: Chase Palmer
In early 2015, Magento found a vulnerability known as Shoplift Bug and released a patch for it. Unfortunately, many businesses still haven’t patched this vulnerability, which could threaten their e-commerce integrity.

Here is some more information about the Shoplift Bug, how it makes your system vulnerable, and what you need to do to combat it.

SEE ALSO: How do Hackers Hack?

How does the Shoplift Bug work? 

shoplift bugThrough the Shoplift Bug, hackers can remotely execute code on Magento software. This vulnerability seems to affect both the community and enterprise versions of Magento.

The Shoplifting exploit is actually a chain of vulnerabilities in the Magento core software, but is frighteningly simple.  The exploit uses a Python script that forces the server to downgrade the website from HTTPS to HTTP and then uses SQL injection to create a new user with administrative privileges.

Once the attacker has access to the dashboard with administrator access, they will typically install software through the console that will create a backdoor that allows the attacker to remotely alter the functionality of the online store, add or remove products, change the price of products, add phony coupons, and much more.

What should I do? 

Unfortunately, this exploit was highly automated and nearly all vulnerable instances of the Magento dashboard are assumed to be compromised.  If you don’t know if you’ve patched your site recently or if you’re a Magento user, check on

If you haven’t installed this patch, here’s a list of steps you should take to patching your website:
data security, software updates
  • Download and implement the two patches from the Magento Community Edition download page
  • Test the patches in a development environment first to make sure they’re working properly before deploying them in your production environment
  • Check for unknown files in web server document root directory. If you find any, remove the files, keeping a secure copy if possible
  • Check all admin accounts to make sure they’re all authorized. Change all admin passwords have you suspect a breach
  • Check for unknown IP addresses accessing the system, since hackers may be using legitimate credentials to gain access to your system. Examples of addresses could include,, and 
If you need help installing patches, refer to Magento’s Community Security patch forum where community members, moderators, and Magento can assist with questions about downloading and installing patches.
If you haven’t already installed this latest patch, you should do so as soon as possible.

Patch your systems

Remember, it’s important to stay up to date on your systems and patch any vulnerabilities that pop up. Tips to do this include:
  • Sign up for newsletters/notifications from vendors you use: Once they release a new patch, you’ll be notified. 
  • Patch the vulnerability as soon as possible: The sooner you fix the vulnerability, the less time you’ll be open to attacks
  • Set up a schedule to regularly patch and update software: This will keep your software updated in its most secure state. 
SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1

Chase Palmer is the Senior Program Manager and has been working at SecurityMetrics for seven years. He manages the company’s largest corporate partners in running mass Level 4 PCI DSS programs worldwide. Chase has a Bachelor’s degree in Business Management from Western Governor’s University. He currently lives in Provo, Utah, and he loves everything about motorcycles.

How Much Does a Data Breach Cost Your Organization?

A data breach may cost you more than you think.

By: David Ellis
Did you know that today, we’ve seen businesses pay up to $4 million after a data breach? And those costs seem to only be rising. The longer businesses take to secure their card data, the higher those costs will be.

Some organizations believe dealing with a data breach might be better than dealing with the difficulties of PCI and HIPAA compliance. Unfortunately, they don’t realize how much damage a data breach can inflict on a business.

Let’s take a look at some of the different costs your business could incur as a result of a data breach.

SEE ALSO: How Much Does PCI Compliance Cost?

Financial costs

After a data breach, businesses could face multiple types of financial detriment, which may include:
    how much does a data breach cost
  • Merchant processor compromise fines: $5,000 – $50,000
  • Forensic investigation: $12,000 – $100,000+
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Free credit monitoring for affected individuals: $10-$30/card
  • Card re-issuance penalties: $3 – $10 per card
  • Breach notification costs: $2,000 – $5,000+
  • Technology repairs: $2,000 - $10,000+
  • Increased in monthly card processing fees: +
  • Legal fees: +
  • Civil judgments: +

Reputation costs

In addition to these expenses, you need to also consider the cost of damage to the reputation of your brand.
After a breach, many businesses have documented losing up to 40% of their revenue from customers losing confidence in their brand.
Customers losing confidence in your brand will drastically impact your business. That’s a cost that your business may have to deal with even years after the data breach.

Health organization costs

If you’re running a healthcare entity, hopefully you’re aware of how valuable healthcare patient data is to hackers.

Today, patient records can be even more valuable than credit cards on the black market.  While most credit cards sell for $2-$10 each, high quality patient data can fetch up to $200.
Patient data is also harder to replace or repair. If a consumer’s credit card data is stolen, replacing your card isn’t difficult and the impact is minimal since your personal money was not at risk—the hacker is actually stealing from the credit card company. But if your name, date of birth, and social security number are stolen and used to create a false identity, make purchases, and take out loans, it’s more difficult to repair the damage.  You’ll need to go to banks and credit bureaus to erase those actions against your personal credit profile, and you’ll have to deal with the government regarding your stolen Social Security Number—which could require you to get a new SSN.

Just think of the grief that would create.  If your organization was responsible for this type of havoc being wreaked against your clients, the ramifications—both for your reputation and civil recourse—may be catastrophic.

If your organization handles patient data, you may incur additional fees. These fees may include:
  • HHS fines: up to $1.5 million/violation/year
  • Implementation of new systems and processes: varies
  • On-going credit monitoring for affected patients: $10/individual
  • Federal Trade Commission fines: $16,000/violation (violation = per record)
  • Class action lawsuits: $1,000/record
  • State attorney generals: $150,000 – $6.8 million
  • Patient loss: 40%
SEE ALSO: How Much Does HIPAA Compliance Cost?

cost of a data breach Legal costs

With data breaches come the inevitable lawsuits, especially if it’s proven that the business didn’t take the necessary precautions to secure their data. Lawyer fees can add up quickly, ranging from $5,000 to well over six figures.

There’s also the recent ruling that allows the Federal Trade Commission to sue a hacked-company if they didn’t have proper security in place. The fact that more government organizations are getting involved in data security demonstrates how serious the government considers data breaches to be, and emphasizes the need to actively secure your company and client data.

SEE ALSO: Computer Security and The FTC: Suing Hacked Companies

Protecting your data

Some basic security practices you can follow include:
  • Get compliant with financial/healthcare mandates: mandates like the PCI DSS and HIPAA cover a lot of basic security protocols you should be following.
  • Segment your network: the more valuable the information, the more it should be separated from your day-to-day data
  • Secure your remote access: use multiple layers of authenticating security
  • Install security systems: implement multiple, robust firewalls and intrusion detection/prevention systems
  • Conduct a thorough risk assessment: You can’t protect your data if you don’t know the risks your business has. Identify your valuable data targets and the threats against them
  • Monitor your systems:  Regular review of firewall and intrusion detection/prevention logs will show you threats that are hitting your systems
 SEE ALSO: 3 Data Security Best Practices

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

SecurityMetrics' Guide to PCI DSS Compliance
Top 5 Security Vulnerabilities Every Business Should Know

Learn how your business is making itself vulnerable.   

By: Chase Palmer
Did you know that over 400 million records were compromised in the USA in 2015 alone? What’s worse is all the breached businesses SecurityMetrics has investigated had preventable vulnerabilities.
If merchants are consistent in one thing, they’re consistent in losing data.
The big problem is many businesses don’t even know they’re vulnerable until it’s too late. Here are the top 5 practices that make businesses vulnerable.

SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

5. Storing unencrypted data

data security vulnerabilitiesDid you know that according to our PANscan study, 61% of merchants store unencrypted card data, and 10% store magnetic stripe data? This is data that’s just waiting around to be stolen.

Why should you encrypt your card data? Well, it essentially makes it useless to hackers should it get stolen. Encrypting card data ensures it can’t be used if stolen.

Some other things you can do to protect your card data include:
  • Limit access to data: the fewer employees that have access to your card data, the less likely your data could be leaked or exposed
  • Use P2PE validation: point-to-point encryption ensures your data is encrypted at the point of swipe until it’s received by the processor, so unencrypted data is never in your system
  • Consider tokenization: if you can, don’t store card data by using technology like tokenization. Getting a third party to handle and store your card data can eliminate many potential security problems
  • Use network segmentation: keeping the part of your network that deals with card data separate from other networks helps make securing your data easier

4. Not reviewing firewall logs

It’s likely your business has a firewall, but do you have someone reviewing the firewall logs?

Think of reviewing logs as having a watchman on a tower. He’s pretty useless if he isn’t looking for threats and letting everyone know when there’s danger. Having your firewall is useless if you aren’t paying attention to it when it notifies you something is off.

I recommend you install log monitoring software to aide in the log review process.  Log monitoring software can look through the log entries on your firewall much faster than a person can and will notify you if something fishy happens (eg. someone tries to log onto your network 300 times at 2 am.) Remember though, you still need someone review any alerts that are flagged by the system.

 I would also recommend installing a file integrity monitoring software on all your critical system which will alert you when changes to important files have been made.

3. Not configuring firewalls

SecurityMetrics forensic investigators found that over 65% of breached merchants didn’t have a properly configured firewall in place. A lack of configuration often weakens and even negates the effects of a firewall.

Many businesses think they can just plug in their firewall and be done with it, but there’s more. Very rarely, if ever, do you have a firewall that comes out of the box pre-configured to your system. Most firewalls are programed by default to either not let any traffic in at all, or to let all traffic in.  You will need to spend some time to determine what kind of traffic is allowed for your network and what rules need to be configured on your firewall.

Less reliable firewalls will come with factory defaults allowing most or all traffic in and out.  This creates a lot of work for the user to figure out what needs to be closed, and it often leaves vulnerabilities in the firewall that can be exploited.  A good firewall will be set, by default, to block most traffic.  The user will then need to start opening up the firewall to start allowing specific types of traffic in and out.  This is a much more controlled method of setting up a firewall as it minimizes the possibilities of leaving vulnerable paths into your network.

It’s also important to review firewall rules on a regular basis.  Leaving old rules in place when systems or users have been removed can not only cause conflict with other rules but can also leave gaping holes in the security of the network.

SEE ALSO: PCI Compliant Firewalls: 5 Things You’re Doing Wrong

2. Lack of password management/ lack of software updates

A lot of businesses don’t have adequate password management policies in place, if they have them at all.  In most cases employees use predictable usernames and simple passwords for the sake of convenience, and about half of employees are using passwords that are at least 5 years old. Unfortunately, this makes it really easy for hackers to gain access to your data through your employees.

security vulnerabilitiesMake sure you and your employees are using unique passwords. It’s also important to avoid using dictionary words and keyboard patterns passwords (eg. 123qwe).

Here are 10 of the most common passwords:
  • 123456
  • password
  • qwerty
  • football
  • baseball
  • welcome
  • abc123
  • 111111
  • 1qaz2wsx
  • dragon
Additionally, many businesses don’t regularly update their software. By doing this, they’re leaving their networks open to vulnerabilities that would’ve been patched up in those updates.

Establish a schedule where you update your software and technology regularly. If a big patch comes out, make sure to update the affected technology within 30 days of the patches release.

Occasionally software will no longer be supported by its developer, meaning that vulnerabilities won’t ever be fixed.  This is called software sunset.  Any software that’s no longer supported by its developers should be replaced as soon as possible.

SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1

1.  Unsecured remote access

Of all the breaches investigated by SecurityMetrics last year, 29% were breached as a result of unsecured remote access. Remote access is still the #1 pathway hackers use to gain data.

While remote access can be useful to your business and convenient, it can also open up a pathway for a hacker if it’s not properly secured.

If you use remote access, you’ll need to secure it properly. Some tips to secure your remote access include:
  • Restrict access: if you need to use remote access, only give it to employees that require it. Don’t let every employee have access to it
  • Use a VPN: a virtual private network (VPN) will add an additional layer to security to your remote access and makes sure hackers can’t gain access into your network
  • Use multi-factor authentication: this includes something you have, something you are, or something you know. This extra security layer helps prevent hackers from easily getting into your remote access guessing a username and password by brute force attacks
SEE ALSO: Configuring Your Remote Desktop Connection: What You’re Doing Wrong

Protecting your data

Remember that while there are many ways your business can be vulnerable to attacks, there are many ways to prevent these attacks. Examine your business and make sure these vulnerabilities aren’t present.

Need help in securing your data? Talk with one of our consultants!

Chase Palmer is the Senior Program Manager and has been working at SecurityMetrics for seven years. He manages the company’s largest corporate partners in running mass Level 4 PCI DSS programs worldwide. Chase has a Bachelor’s degree in Business Management from Western Governor’s University. He currently lives in Provo, Utah, and he loves everything about motorcycles.
SecurityMetrics Guide to PCI DSS Compliance
2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

Learn what changes have happened to multi-factor authentication.  

By: Mark Miner
The PCI DSS 3.2 has recently made some changes to multi-factor authentication. But what changes have been made, and how do they involve your business?

SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know

Here’s a quick explanation of the changes that have been made to PCI DSS 3.2’s requirements for multi-factor authentication.

1st change: multi-factor authentication title

The first change is simply a label change for clarification. Instead of calling it “two-factor authentication,” the PCI DSS wishes it to be called “multi-factor authentication.” This is to help clarify that businesses are required to have at least two factors of authentication, but aren’t just limited to two.

2nd change: clarifying the CDE and what requires multi-factor authentication

The other requirement change deals with what qualifies as the Card Data Environment (CDE) and when multi-factor authentication is required. This new change also clarifies to businesses when it should be used.

The PCI DSS requires that all remote access into the CDE requires multi-factor authentication. The problem we’ve run into is the clarification of what is part of the CDE and what isn’t.

Many businesses will have some support servers that aren’t considered part of their card environment. The new requirements clarify that while these servers may not be part of the CDE, they are in scope for PCI because they affect the security of the CDE. As a result, these systems should require multi-factor authentication.

Also, if you are accessing the CDE from the corporate network through remote desktop protocol, you will need to use multi-factor authentication. In the past, many companies didn’t define that as remote access because it originated within the corporate network. The PCI DSS has now removed this grey area by requiring that all non-console access requires multi-factor authentication. This means anytime you’re accessing your CDE from anywhere besides your console, you need to use multi-factor authentication.

SEE ALSO: Integrate 2fa Tech To Correctly Comply with PCI Req. 8.3

How do these changes involve jump boxes?

A jump box is a server that’s a buffer between you and the network. Instead of logging directly into the CDE, you would first be directed to the jump box, then to the CDE. Businesses often used jump boxes to get into their CDE without having to use multi-factor authentication.

Previously, some businesses used a jump box outside the CDE (on the corporate network) to connect to the CDE. Because the jump box was on the corporate network it wasn’t considered to be “remote access” and did not use multi-factor authentication. PCI DSS 3.2 now clarifies that all non-console access requires multi-factor authentication.
Even if you use a jump box, you still need to use multi-factor authentication

When should these changes be implemented? 

Keep in mind, these new requirements for multi-factor authentication are considered by the PCI DSS to be best practice until Jan 31, 2018. Organizations need to remember while that’s the deadline, they need to work on and implement the solution before then.

The sooner you start making these changes, the easier it will be for you to make the deadline on time.

Need help getting PCI compliant? Talk to us! 

Mark Miner is a Principal Security Analyst and Assessor at SecurityMetrics. He has over 21 years of experience in network security. Mark has current CISSP, QSA (P2PE), PA-QSA (P2PE) certifications, and his expertise has been focused on Payment Card Industry (PCI) security for the past 8.5 years. 

SecurityMetrics Guide to PCI DSS Compliance