Help Center

PCI DSS Compliance Levels - What You Need to Know

Introduction

All entities that process, store or transmit cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate from the card brands. While PCI compliance levels vary, compliance is mandatory for any business that accepts credit card payments.

PCI offers a tangible framework for merchants to identify and address payment card data threats and vulnerabilities that could lead to a breach. It holds merchants accountable for securing their business environment and for business policies (or lack thereof) and employeesโ€™ actions that lead to a data breach.

The PCI council isnโ€™t equipped to check into every business to make sure PCI regulations are being met, but the consequences of non-compliance can be grave. If a breach occurs and itโ€™s determined that the business was not compliant at that moment, it will face hefty fines and fees as well as reputational damage and customer attrition.

The PCI Compliance Requirements

There are 12 main requirements and over 300 sub-requirements for PCI compliance:

 

Build and Maintain a Secure Network and Systems

Requirement 1 Install and maintain network security controls.

Requirement 2 Apply secure configurations to all system components.

Protect Cardholder Data

Requirement 3 Protect stored cardholder data.

Requirement 4 Use strong cryptography during transmission over open, public networks.

Maintain a Vulnerability Management Programme

Requirement 5 Protect systems and networks from malicious software.

Requirement 6 Develop and maintain secure systems and software.

Implement Strong Access Control Measures

Requirement 7 Restrict access to system components and cardholder data by business need to know.

Requirement 8 Identify users and authenticate access to system components.

Requirement 9 Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Requirement 10 Log and monitor all access to system components and cardholder data.

Requirement 11 Test security of systems and networks regularly.

Maintain an Information Security Policy

Requirement 12 Support information security with organisational policies and procedures.

 

Goals of PCI DSS

PCI DSS compliance aims to:

  • Protect sensitive cardholder data (e.g. PAN, expiration date, CVV).
  • Maintain secure networks (e.g., firewalls, encryption).
  • Regularly monitor and test networks for vulnerabilities.
  • Implement access control measures.
  • Develop and maintain secure systems and applications.

Consequences of Non-Compliance

Failing to comply with PCI DSS can result in:

  • Hefty fines and penalties from card networks (e.g., Visa, Mastercard).
  • Increased vulnerability to data breaches.
  • Loss of ability to process credit card payments.
  • Reputational damage and loss of customer trust.

 

How do you comply with ๐—ฃ๐—–๐—œ ๐——๐—ฆ๐—ฆ ๐—–๐—ผ๐—บ๐—ฝ๐—น๐—ถ๐—ฎ๐—ป๐—ฐ๐—ฒ requirements?

It largely depends on the number of transactions your business processes during the year. By this parameter, all merchants are divided into ๐—™๐—ผ๐˜‚๐—ฟ ๐—Ÿ๐—ฒ๐˜ƒ๐—ฒ๐—น๐˜€:

  • LEVEL 1 - This covers businesses handling more than 6 million Visa, Mastercard, or Discover transactions, more than 2.5 million American Express transactions, or more than one million JCB transactions.

    A company will also be consigned to this strictest compliance level if it has recently experienced a data breach, regardless of transaction volumes.

    To achieve Level 1 compliance, you must:
    1. conduct quarterly vulnerability scans, involving approved scanning vendors (ASVs);
    2. have an onsite audit done by an external auditor who will prepare a Report of Compliance (RoC);
    3. and complete an Attestation of Compliance (AoC) form.

    Businesses that fall under all other levels donโ€™t need to invite third-party auditors for annual onsite checks. Instead, they file an appropriate Self-Assessment Questionnaire (SAQ) that helps companies validate their compliance with PCI DSS.

  • LEVEL 2 - is for one to six million Visa, Mastercard, or Discover transactions, 50,000 to 2.5 million AmEx transactions, or fewer than a million JCB transactions.

    The compliance entails doing quarterly vulnerability scans and completing SAQ and AoC forms. Sometimes they also must have a RoC issued.

  • LEVEL 3 - ranges from 20,000 to one million Visa, Mastercard, or Discover transactions or fewer than 50,000 AmEx transactions annually.

    They still undergo quarterly scanning by an ASV, complete an annual SAQ, and submit an attestation of compliance.

  • LEVEL 4 - relates to less than 20,000 Visa or Mastercard transactions. The validation typically involves quarterly network scans by an ASV and completing an annual SAQ and AoC.

 

Key Validation Components

Self-Assessment Questionnaire (SAQ): A tool for merchants to evaluate their compliance level. Different SAQ versions exist depending on the merchant's environment (e.g., card-present, e-commerce, or both).

Quarterly Vulnerability Scans: Conducted by an ASV to identify and address security risks in networks and systems.

Penetration Testing: A simulated cyberattack to evaluate the resilience of the organisation's security defences.

Report on Compliance (ROC): Required for Level 1 merchants, this detailed report verifies that all PCI DSS controls are implemented.

 

Determining Your Merchant Level

Merchants can determine their PCI compliance level by consulting their merchant services provider or using their providerโ€™s reporting tools. Level 1-3 merchants have more complex compliance requirements because of the size and nature of their business. They are also more likely to have internal IT and compliance teams to implement and monitor their compliance programmes.

 

Most merchants who identify as small or medium-sized businesses fall under the level 4 category. While the compliance requirements may be somewhat simpler, these merchants often find it more challenging to meet the requirements if they not have internal IT infrastructure. Fortunately, providers like us offer PCI compliance assistance products that make the process more affordable for Tier 4 merchants.

 

Maintaining PCI Compliance

PCI compliance is not a one-time eventโ€” it requires ongoing effort. As a business owner, much of this effort rests on you. Focusing only on an annual compliance assessment can create a false sense of security. According to the PCI SSC, security controls deployed by organisations that had passed an assessment were often out of compliance when breaches occurred later.

Once youโ€™ve achieved compliance, itโ€™s important to implement practices to maintain your compliant status. Here are some things you can do:

  • Maintain secure computer networks by segmenting systems, using firewalls, and prohibiting internet usage on the POS for anything but payment processing
  • Conduct regular security checks and maintain a vulnerability management programme that includes keeping anti-virus software updated and External Network Vulnerability Scans
  • Require monthly password updates and make sure passwords are unique and that staff do not share passwords
  • Perform system access audits and ensure staff have the lowest levels of access necessary to perform their job tasks
  • Implement employee training regarding PCI and data security best practices
  • Create and maintain a security policies and procedures document that includes the details listed above as well as other activities to protect payment and cardholder data.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Please sign in to leave a comment.