I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket!  While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year.

29 nero, by pigliapost

Is there a way to game the system?  Well, maybe two ways.  First is to delete PCI DSS data, but that’s not really gaming the system.  That’s doing the responsible thing in devaluing this data.  The second would be to reduce the number of transactions that you run per year.

Let’s consider the second.  Say you are a Level 2 merchant, processing 1.5 million transactions per year.  You are a monthly recurring business that has around 250,000 customers, so you could be a regional telco or utility.  Now, what would happen if you offered your customers the option to pay quarterly?  It’s a little bit of help, as you now can become a Level 3 if you have enough folks adopt your plan.  That means less fines and less compliance pressure.

Now what if you offered ACH as a method of payment as well?  Maybe you could get that number under 20K transactions per year, and you become a Level 4 for more than one payment brand (let’s not talk reciprocity here)!

The point is that you have it in your power to offer incentives to “game the system” in order to change the pressure put upon you to comply with PCI DSS.  I am still a firm believer that it is a good standard, though you would be better suited to implement a control framework like ISO 27002 and map your compliance back to it.  Regardless, you have options!

This post originally appeared on BrandenWilliams.com.