According to the 4 levels of PCI certification, which level are you guys currently following?

You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.

By volume we're 3 or 4 but we've only been live for 22 days. Also we're not taking credit cards but adhering to their standards regardless.
We've done the SaQ and treated the Bitcoins as credit info like you suggest. We're treating ourselves as level 2. The next step up is on site audits for level 1.
Obviously these are huge businesses like Amazon.com etc but we're willing to go through on site audits etc and would prefer to given some time.



At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix ..

Luckily (from Camp BX):

Means you're obviously 43x as secure as they are.

In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...