Achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a lengthy and expensive process.
For Level 1 compliance, which is required for businesses that handle high volumes of payment card data, upfront costs can easily run you $1.1m and the journey to your certification can last between 9 and 12 months if you opt to build your compliant infrastructure by yourself.
With the VGS Platform, your journey to Level 1 compliance can be just 21 days – and your organization will end up paying 50-75% less than the cost of DIY.
What Is PCI DSS and Who Needs to Achieve Compliance?
If your business handles payment card data, whether you collect, store, or transfer that highly sensitive data, then you must comply with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS requirements were originally developed by the PCI Security Standards Council (PCI SSC). The Council is a consortium of the major credit card brands, including Visa, Mastercard, Discover, JCB International, and American Express, which created these security standards in an effort to reduce credit card fraud.
While not a legal obligation, PCI DSS is non-optional for organizations that want to continue transacting with the payment card networks that make up the PCI SSC. If your business collects, transmits, maintains, or transfers cardholder data, then you are within the scope of PCI compliance - no matter how many transactions you process.
PCI DSS Compliance Levels
PCI DSS compliance is broken down into 2 categories – merchants and service providers – with different levels based on how many credit card transactions you handle annually:
Level 1: Businesses that process over 6 million card transactions per year.
Level 2: Businesses that process between 1 million and 6 million card transactions per year.
Level 3: Businesses that process between 20,000 and 1 million card transactions per year.
Level 4: Businesses that process under 20,000 card transactions per year.
For service providers:
Level 1: Businesses that process over 300,000 transactions per year.
Level 2: Businesses that process under 300,000 transactions per year.
Achieving PCI Level 1 Compliance
When it comes to PCI compliance for Level 2, Level 3, and Level 4 organizations, companies can validate their compliance status by completing a Self Assessment Questionnaire (SAQ) and sign their own Attestation of Compliance (AOC).
Level 1 PCI compliance, on the other hand, requires that organizations bring in an outside auditor to verify that they’ve fulfilled all 12 PCI DSS requirements.
PCI DSS Level 1 Requirements
For Level 1 merchants and service providers, which handle the highest volumes of PCI data, a simple SAQ isn’t enough to validate their compliance. Instead, Level 1 businesses must have a certified PCI auditor verify that they’ve done everything required to attain their PCI DSS certification.
These auditors, referred to as Qualified Security Assessors (QSAs), professionally assess your security systems and processes to certify that you’ve complied with all PCI security standards - resulting in an official Report on Compliance (ROC).
Preparing for this audit process is daunting, but working with a data security partner like VGS can accelerate the journey to your ROC by removing you from PCI compliance scope and simplifying how you handle sensitive PCI data.
VGS Solutions for PCI DSS Level 1 Compliance
Integrating VGS solutions into your business provides you with powerful and useful data management tools, along with peace of mind in knowing that all your sensitive information is safe, secure, and compliant. But what exactly does that entail?
With basic integrations of our innovative VGS products, merchants who must achieve PCI DSS Compliance Levels 2-4 (those that process fewer than 6 million transactions) and service providers who must complete Level 2 compliance (those who process fewer than 300,000 transactions) can automatically achieve PCI compliance - by inheriting VGS’ compliance posture.
But how do VGS partners prove they’ve reached full compliance through our data security and routing solutions?
In addition to the ability to accept card payments, VGS customers will receive all the documentation necessary to demonstrate that they are protecting their cardholder data in a PCI compliant fashion. When you integrate with VGS for the first time, all PCI Level 2-4 documentation is automatically generated, including a pre-completed Self Assessment Questionnaire (SAQ).
On top of that, you will also receive our Attestation of Compliance (AOC). This documentation is proof that we, as a vendor, are a PCI compliant Level 2-4 service provider and includes a letter stating that VGS provides PCI-certified services on your company’s behalf.
But what about merchants who surpass 6 million transactions or service providers who surpass 300,000 transactions, requiring Level 1 PCI DSS Compliance?
VGS has streamlined the process for merchants and service providers to achieve PCI Level 1 compliance, fast-tracking your path to full compliance.
Here’s a quick comparison spelling out the various PCI DSS compliance levels and what VGS provides you to achieve compliance:
As your business grows and you begin processing more card transactions, VGS helps you navigate the process to demonstrate compliance for a Level 1 merchant or service provider.
Typically, obtaining PCI compliance for Level 1 organizations can take 6–12 months. With VGS, on the other hand, the same level of compliance can be reached in just 14-28 days. We work with your auditor so VGS customers easily obtain a Report on Compliance (ROC). By shifting the cardholder data environment (CDE) to VGS entirely, your own network is out of scope because none of the sensitive data is handled or stored on your own systems. Once integration is complete, a qualified security assessor (QSA) can be engaged to perform an audit and create a ROC certifying that your business is PCI compliant.
To learn more about PCI security and compliance, visit our website where you could try our product for free.