The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, any identification or other information. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
The payment card industry (PCI) uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass PCI DSS assessment.
These are the four levels of PCI compliance as mandated by the card issuers Visa and Mastercard, with definitions according to the volume of credit card transactions per year:
I) PCI Compliance Level 1
Over 6 million Visa and/or Mastercard transactions processed per year
II) PCI Compliance Level 2
1 million to 6 million Visa and/or Mastercard transactions processed per year
III) PCI Compliance Level 3
20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year
IV) PCI Compliance Level 4
Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year
Subscription billing companies like Zuora, Chargify and Chargebee are Level 1 PCI Compliant, the highest level a business can attain. They also work with only the most reputable gateways to make sure all of your customers payment information is stored in a PCI-compliant way. Being PCI Level 1 compliant means they have been thoroughly evaluated by outside auditors to ensure they run a tight ship. These standards dictate everything from how they secure physical infrastructure to what processes software developers can use to update production systems.
These Subscription billing tools do not store credit card information of any kind. They work in conjunction with your payment gateway’s secure “vault” to store your customers credit card information in a secure, PCI-compliant location.