If you were certified as compliant with just a 'simple port scan', without many in-depth interviews and physical inspections, you were probably paying a cheap certificate-mill. The PCI-SSC is making it harder for these people to stay in business by performing audits of the auditors, to verify they are in fact doing all the work the standard requires.
There are ways to do this. Some payment gateways will take cardholder data and store it, and give the merchant a token. Later, when you want to charge the card, the merchant sends in the token, and the gateway charges it.
Your level is based on the number of transactions processed per year, not your architecture.
Even level 4 merchants/service providers must comply with every aspect of the standard. The difference is how they validate (level 1s must have a full onsite assessment, level 4 maybe just a questionnaire).
Slashdot Mirror
If you were certified as compliant with just a 'simple port scan', without many in-depth interviews and physical inspections, you were probably paying a cheap certificate-mill. The PCI-SSC is making it harder for these people to stay in business by performing audits of the auditors, to verify they are in fact doing all the work the standard requires.
And they usually miss gaping-wide holes like old Joomla installations that cry out to be cracked. .
That should be found by the first penetration test, which is a separate requirement for any web-based systems.
There are ways to do this. Some payment gateways will take cardholder data and store it, and give the merchant a token. Later, when you want to charge the card, the merchant sends in the token, and the gateway charges it.
Your level is based on the number of transactions processed per year, not your architecture. Even level 4 merchants/service providers must comply with every aspect of the standard. The difference is how they validate (level 1s must have a full onsite assessment, level 4 maybe just a questionnaire).