For many merchants, PCI Compliance and related activities are a necessary annual pursuit that require additional work for resource strapped internal business units. The looming complexities of PCI DSS 4.0, combined with transitioning to a Level 1 merchant will likely leave many organizations in the lurch as they determine how to handle these increased responsibilities.

Shelli Moring, Senior Consultant at W. Capra Consulting Group, shared, “Merchants moving from Level 2 to Level 1 PCI Compliance are frequently facing two issues. First, they underestimate the additional rigor required to complete a Level 1 audit versus a Level 2 self-assessment. Second, an incomplete understanding of how credit card transaction counts trigger the move to Level 1 often makes the undertaking difficult and unexpected.  Layer this additional responsibility on top of a swamped IT team and it’s a recipe for disaster.”

Moving the goal posts

IT units in 2022 are often tasked with a wide variety of responsibilities. Taking on an additional large responsibility may not be feasible without adding head count. Furthermore, unless you have team members with experience working with a Qualified Security Assessor (QSA) to complete a Level 1 assessment the learning curve and even assembling the known list of activities could be a herculean task. 

Josh Kennedy, Senior PCI Security Consultant at W. Capra, added, “Some of the changes related to Level 1 are glossed over- for instance, the move to Level 1 is accompanied by a search for an approved vendor to complete vulnerability scans.  Sometimes you might think you’ve found the perfect vulnerability scan vendor only to find out that they aren’t on the PCI Approved Scan Vendor list.”

But wait, there’s more

If making the leap from a Level 2 to a Level 1 merchant wasn’t daunting enough, there’s also the looming threat of significant fines if a merchant does not satisfy the requirements of compliance.  Moring added, “Imagine your organization was working to implement a new ERP system, but rather than just missing your go-live date you could also get fined for failing to complete the project on time.  The stakes of not meeting PCI requirements are greater and potentially costlier.” 

At W. Capra, we work with our clients to lead and provide expertise as it relates to PCI Compliance processes, both for Level 2 and Level 1 merchants.  Kennedy elaborated, “We’ve found our clients benefit from our services across a wide spectrum; whether you need us available a few hours a week to answer questions while you work with your QSA to obtain your ROC or you need an experienced resource to lead and complete the assessment process, our team maintains the expertise to tackle any PCI-related challenge with the necessary know-how and precision.”

Shelli Moring and Josh Kennedy are dedicated to leading W. Capra clients with tackling all things PCI. For further discussion, contact Shelli Moring at [email protected] or Josh Kennedy at [email protected].