What are the different PCI compliance levels

If you handle payments, you have a responsibility to keep your customer’s sensitive safe and secure. While this has always been important, it has become increasingly critical in recent years due to the prevalence of cybersecurity attacks and breaches.

The Payment Card Industry Security Standards Council (PCI SSC) was set up by the major credit card companies (Mastercard, Visa, American Express, Discover, and JCD) to mitigate this threat. Any organization of any size that accepts payments via credit cards must comply with the standards set out by the PCI SSC. There are many advantages to doing so. For example, compliance helps to protect the confidential data of the cardholders, reduces security breaches, and bolsters the reputation of the brand — one data breach is enough to cause significant reputation damage to a company.

PCI compliance is split into different levels. All companies fit into one of those levels. In this blog, we’re going to take a deeper look at PCI compliance, including providing a general overview and outlining the different levels, how to find out what level a company is, and how you can remain PCI compliant moving forward.

General Overview

For a thorough explanation of the requirements of PCI compliance see our overview of What is PCI compliance and why you need it.

Regardless of the ‘compliance level,’ companies need to be in line with the requirements as set out by the PCI SSC. The twelve requirements are:

Build and Maintain A Secure Network

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access

Regularly Monitor and Test Networks

Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data

Maintain an Information Security Policy

Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

The Levels

A company’s compliance level is based on the volume of credit card transactions (of any type; credit, debit, and prepaid cards) they process within a twelve-month period. While companies are automatically put into one compliance level based on the number of transactions, it is possible that an organization is moved up to a higher level. This may happen if the company experiences a data breach that leads to the exposure of confidential data.

Level 1

To be a Level 1 merchant, a company must process more than six million transactions in a twelve-month period via all channels — for example, via a terminal, through mobile apps, and via an eCommerce platform. If an organization is global and processes more than six million transactions across the globe, then it may also qualify.

If a company is a Level 1 merchant, they must:

Hire a Qualified Security Assessor (QSA) to conduct a Report on Compliance (known as a ROC) each year.
Hire an Approved Scanning Vendor (ASV) to conduct quarterly network scans.
Complete the Attestation of Compliance Form.

Level 2

To be a Level 2 merchant, a company must process between one million and six million card translations in a twelve-month period. As with level 1 merchants, a ‘transaction’ applies to all channels, including card present, card not present, and eCommerce stores.

If a company is a Level 2 merchant, they must:

Conduct an Annual Self-Assessment Questionnaire (known as an SAQ).
Hire an ASV to conduct quarterly network scans.
Complete the Attestation of Compliance Form.

Level 3

To be a Level 3 merchant, a company must process between 20,000 and one million card transactions only via eCommerce processing methods. “Real-world” transactions, such as ones that require a payment terminal, do not count.

If a company is a Level 3 merchant, they must:

Conduct an Annual Self-Assessment Questionnaire.
Hire an ASV to conduct quarterly network scans.
Complete the Attestation of Compliance Form.

Level 4

To be a Level 4 merchant, a company must process up to one million card transactions through all channels (“real world” transactions and online) and must process fewer than 20,000 card transactions only via eCommerce processing methods.

Level 4 status also applies to any merchant that processes fewer than 20,000 transactions via eCommerce processing methods.

If a company is a Level 4 merchant, they must:

Conduct an Annual Self-Assessment Questionnaire.
Hire an ASV to conduct quarterly network scans.
Complete the Attestation of Compliance Form.

How To Find Out Your Level

For a company to find out their compliance level, they have to consult the data. The number of transactions that they process each year will be available by looking at the reporting tools provided by their merchant services provider. This can be slightly more difficult for companies that are levels 1 – 3. However, those types of companies typically have internal teams to manage compliance. The vast majority of companies are level 4. Yet, while this level of compliance is less complicated than levels 1 – 3, these types of companies usually don’t have internal teams that can manage compliance. But regardless of capability, all companies must follow the standards of their level.

Staying On Top of PCI Compliance Levels

It’s important to remember that companies don’t just set up their compliance procedures once, and then get back to business. It’s something that requires ongoing management, and especially if you think that your compliance level may have changed. If you don’t stay on top of compliance, then you may be unwittingly making your company vulnerable to a data breach.

Final Thoughts

PCI compliance may sound complicated, but it’s more straightforward than many people think. And ultimately, at the end of the day, it’s there to help keep customers and businesses safe. By investing in your PCI compliance, you’ll be helping to significantly reduce the threat of cybercrime and data breaches, and that’s something that can only have a positive impact on an organization.