PCI DSS Compliance Levels and Requirements for Your Business

Posted on September 8, 2021 - by Darren Gallop - in PCI DSS

What are the 4 PCI DSS compliance levels

With 80% of customers preferring card payments over cash and 45% of customers opting to store card information for online transactions, businesses realize that merely installing a firewall to protect their data assets from attacks is not enough.

Subjecting your business to a compliance audit for the Payment Card Industry Data Security Standard (PCI DSS) gives you a clear picture of the strengths and weaknesses of your security controls in place. Moreover, it allows you to make the changes and adjustments needed to protect critical information, including your customers’ credit card data.

There are four PCI compliance levels. You need to understand which of the four levels you fall into and know the PCI compliance requirements for your level to be compliant. There are more than 300 security controls and requirements in total, so it is important for you to know what requirements apply to your business.

PCI DSS Compliance Levels

The consortium of the major credit card companies, including Visa, Mastercard, American Express, JCB, and Discover, implements the PCI DSS security standards to ensure that all merchants accepting credit cards operate in and maintain a secure environment.

There are four PCI levels where your business might fall into depending on the volume of card transactions you handle per year:

  • PCI Level 1: Businesses processing over 6 million transactions per year
  • PCI Level 2: Businesses processing 1 million to 6 million transactions per year
  • PCI Level 3: Businesses processing 20,000 to 1 million transactions per year
  • PCI Level 4: Businesses processing less than 20,000 transactions per year

Merchants can determine their level of PCI compliance by coordinating with their service providers or using reporting tools. It’s best to check specific merchant levels for the credit card companies you are using. 

If you need to be PCI DSS compliant and reap the benefits of being a trustworthy brand, the first and most vital step you need to take is figuring out what level you are at today.

PCI Level 1

Level 1 PCI compliance applies to merchants that process six million card transactions every year. While other PCI levels only require completion of a Self-Assessment Questionnaire (SAQ), a PCI DSS Level 1 compliance requires an annual report done by a qualified security assessor (QSA) or an internal security assessor (ISA). A QSA will go onsite to conduct an audit, while an ISA can be a member of your team properly trained to perform an assessment and act as a liaison to external auditors. This PCI audit is the strictest of all the classifications. Businesses that suffer a data breach compromising cardholder data are also subject to an external audit, even if they are not considered a Level 1 merchant.

You will also be required to do a quarterly scan of your network done by an approved vendor. QSAs require these vulnerability scanning vendors to scan your computers, servers, cloud, and other devices for sensitive information and inform you of potential security issues. 

Level 1 merchants also need to get a penetration test at least once each year. This is a form of cybersecurity assessment that will check your infrastructure for possible vulnerabilities. This kind of testing will give you a more comprehensive report using a manual process and automated tools compared to vulnerability testing alone.

For the Level 1 PCI audit, you will also submit an Attestation of Compliance (AOC) form, which states that you have complied with the requirements that suffice PCI DSS standards.

PCI Level 2

Merchants who fall under the PCI Level 2 are not required to do an onsite PCI audit and only need to complete a Self-Assessment Questionnaire. There are different types of SAQs, so depending on how you’ll narrow down the scope of the audit, the number of questions you need to respond to will vary. 

You might be required to have an onsite audit and an annual report on compliance if you were a victim of a data breach or if your acquiring bank sees it as necessary.

Other PCI DSS compliance requirements for Level 2 audit also include a quarterly scan of your network by an approved vendor, an internal scan, and completion of an AOC form. Like Level 1, an annual penetration test is also required. Note: Penetration tests are required every 6 months for service providers, specifically, according to PCI Requirement 11.3.4.1.

PCI Level 3

Just like Level 2, merchants who seek a Level 3 PCI certification are required to complete an SAQ, do a quarterly network scan for vulnerabilities, and submit an attestation compliance form. At this level and below, businesses are not required to get a penetration test, although it’s a security best practice that would benefit your company to still do.

It is important to take note that JCB International does not have Level 3 PCI compliance. Merchants processing less than a million JCB transactions a year are considered Level 2 merchants.

PCI Level 4

Level 4 PCI compliance is the lowest level of audit set by the major credit card companies. Aside from basing it on the number of transactions handled per year, businesses seeking this scope of the audit must not have encountered data breaches or have been a victim of a cyberattack that compromised cardholder data.

The only validation requirements for PCI Level 4 are:

  • Completion of the appropriate SAQ
  • Quarterly vulnerability scans of your network
  • Completion of an AOC

Though the annual requirements for Level 4 may be less work without the formal audit, implementing all the PCI controls and maintaining them can still be a time-consuming process. The questionnaire will require that you attest that you have the appropriate security policies, procedures, and tools in place based on the PCI security standard.

Let Securicy Help You Achieve PCI DSS Compliance

Securicy can help you simplify the process of getting PCI DSS compliant. It can get daunting for business owners, but with the right partner, you can simplify the work and save your team time.

Securicy is with you throughout the journey – from building your PCI DSS compliance foundation to helping you sustain a trustworthy security program. Talk with us today and book a demo.

Tags: PCI / PCI compliance / PCI DSS /

About the author

Darren Gallop is a tech entrepreneur, information security expert, Techstars alumni, board member, and the CEO of Securicy. He co-founded Securicy and led the team to develop a SaaS product that guides businesses through creating, implementing, and managing their information security and privacy compliance program. Gallop previously co-founded Marcato and was CEO there for 10 years, until the successful event management software company was acquired by Patron Technology. He is fluent in English, French, and adept in Spanish. Gallop spends much of his non-work time traveling or engaging in the outdoors. Swimming, fly fishing, canoeing, camping, and surfing (basically in that order). He is from Nova Scotia, Canada.