In October 2015, Visa announced a major change to its original Payment Card Industry (PCI) compliance deadline. According to the company’s official statement:
“Effective 31 March 2016, acquirers must communicate to all Level 4 merchants that beginning 31 January 2017, they must use only Payment Card Industry (PCI)-certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale (POS) application and terminal installation and integration.”
Yet what do these new rules mean exactly, and why did Visa specifically extend the deadline for Level 4 merchants?
Let’s take a look.
What Level 4 Merchant PCI Compliance Really Means
Compliance rules exist to help credit card issuers, acquirers, processors and merchants reduce the severity and frequency of card-related data breaches.
Because hacking techniques continue to evolve with time, PCI security standards must also keep pace. Thus, Visa’s revised guidelines are designed to better reflect the current payment landscape.
More specifically, these new rules state that by January 31 2017:
- Level 4 merchants may only use PCI-certified qualified integrators and resellers (QIRs).
- Level 4 merchants must conduct annual PCI compliance assessments, unless they are participating in Visa’s Technology Innovation Program (TIP).
OK, but what is a Level 4 merchant?
According to the Payment Card Industry, Level 4 includes:
“Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.”
In other words, this classification applies to smaller businesses.
Why single this group out, though? After all, data breaches can affect any company — of any size.
This is true. However, smaller businesses are the most vulnerable targets since they typically have the fewest resources to protect themselves. In fact, Level 4 merchants represent roughly 93 percent of all data breaches. What’s more, the majority of those attacks stem from faulty POS installations and/or poor payment integration.
As a result, protecting Level 4 merchants is Visa’s No. 1 priority.
However, given the changes required, these smaller businesses need more time to upgrade their payment environments to the latest PCI standards. Hence — the extended deadline.
How BluePay Can Help You Achieve Level 4 PCI Compliance
At BluePay, our software and hardware payment tools automatically qualify as PCI-compliant QIR solutions. If you’re already using our secure payment gateway, POS terminals or payment modules, you won’t have to make any drastic changes.
Whether you’ll be required to conduct an annual PCI compliance assessment depends on your exact payment setup. Merchants meeting any of the following criteria may be exempt:
- Your business doesn’t store any sensitive authentication data once the transaction goes through. For example, you use BluePay’s hosted payment pages to securely collect credit card data.
- Your business processes at least 75 percent of all transactions through EMV terminals at the point of sale.
- Your business uses point-to-point encryption (P2PE) for all card data sent to and from your payment processor.
We still recommend doing an annual PCI compliance assessment — even if you’re technically exempt. However, if you’d like to avoid this step entirely, we can help you configure your payment environment so that it qualifies for Visa’s Technology Innovation Program.
To learn more about Visa’s PCI compliance rules and how to meet the upcoming deadline, contact our merchant services team today.