NCR Counterpoint Blog

What PCI Level Am I?

Posted by Marilyn Grant on Jun 4, 2015 1:46:00 PM

As retail merchants, we hear daily messages about business security and reducing risks for a credit card  breach. With one of these messages being PCI Compliance, you might as "What PCI Level Am I?"

Making sure your software is PCI compliant is one of the steps you can take to add another security layer onto your store.  Below, we've outlined what validation you'll need based on your store and steps you can take to complete your validation.  


What is my validation requirement? 

Your annual volume of processing credit cards controls the requirements you will need to meet to show that your business is compliant.

Category by Volume Validation Requirement
Level 1: More than 6 million transactionsannually (including e-commerce)
  • Annual onsite PCI Data Security Assessment
  • Quarterly network scans
Level 2:1 to 6 million transactions annually
  • Annual self-assessment
  • Quarterly network scans
Level 3: 200,000 to 1 million ecommercetransactions annually
  • Annual self-assessment
  • Quarterly network scans
Level 4: Up to 1 million transactions annually,and fewer than 20,000 ecommerce transactions
  • Annual self-assessment
  • Annual network scan

What are the requirements to be compliant? 

There are 12 requirements of all organizations that process, store or transmit credit card data. All of them are common sense security measures that focus on attention to detail and risk management.

1. Install and maintain a firewall configuration to protect cardholder data: Have a firewall configuration policy that protects cardholder data and build a plan for testing it.

2.  Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data: This means not storing full credit card numbers anywhere – even outside of your computer system.

4. Encrypt transmission of cardholder data and sensitive information across open, public networks: 

Payment applications that are built into Counterpoint store cardholder data in the Counterpoint database in an encrypted form.  If you use point-to-point encrypted readers for your credit cards, along with NCR Secure Pay, you will also ensure that cardholder data is encrypted from the moment the card is swiped, before it reaches your Counterpoint database. The breaches you’ve heard about recently to several large retailers occurred because they were not using point-to-point encrypted devices.

5. Use and regularly update anti-virus software or programs: 

Malicious software, commonly referred to as “malware”, refers to viruses, worms, and Trojans. They enter a network during many business-approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices. Anti-virus software must be used on all systems commonly affected by malware, and the anti-virus software needs to be updated regularly to avoid attack by new forms of malicious software.

6. Develop and maintain secure systems and applications.

Keep up to date with new security vulnerabilities that may impact your environment. Sources for information often include vendor websites, industry news groups, and mailing lists. Once you identify a vulnerability that could affect your environment, evaluate and rank the risk imposed by that vulnerability. This will allow you to prioritize and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited.

not storing full credit card numbers

7. Restrict access to cardholder data by business need-to-know.

Have systems and processes in place to limit access based on need to know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.

8. Assign a unique ID to each person with computer access.

Assigning a unique ID to each person ensures that each individual is uniquely accountable for their actions. This allows you to trace actions taken on critical data and systems to known and authorized users and processes. This requirement applies to all accounts, including point-of-sale accounts, all accounts used to view or access cardholder data or to access systems with cardholder data, and accounts used by vendors and other third parties (for example, for support or maintenance).

9. Restrict physical access to cardholder data. 

Physical access to data or systems that store cardholder data provides the opportunity for individuals to remove systems, electronic media or hardcopies containing cardholder data, and should be appropriately restricted. This applies to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the premises. It also applies to a vendor, guest, service workers, or anyone who needs to enter the facility for a short duration.

10. Track and monitor all access to network resources and cardholder data.

Logging and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. This requirement means that you must restrict access to the logs (to prevent altering them), and the logs must be reviewed regularly.

11. Regularly test security systems and processes.

Malicious individuals continually discover vulnerabilities that can be introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. You should have policies and procedures to detect and identify both authorized and unauthorized wireless access points. Unauthorized wireless devices may be hidden within or attached to a computer or other system component, or be attached directly to a network port or device, such as a switch or router. Such unauthorized devices could result in an unauthorized access point into the environment.

12. Maintain a policy that addresses information security for employees and contractors.

A strong security policy sets the security tone for the whole company and informs personnel what is expected of them. PCI training is a must. You should have a formal training program on what they have to do to ensure they are handling credit card data in a manner that supports the PCI requirements. The training program should apply to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” at the company’s site or who otherwise have access to the cardholder data environment.



PCI Compliance is just one step in maintaining a secure business network. Learn other steps in securing a network or talk to your local point of sale system provider. 

 New Call-to-action

Topics: Security