Fintech Insights

What you need to know about PCI compliance levels

July 30, 2019

All entities that process, store or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate from the card brands. While PCI compliance levels vary, compliance is mandatory for any business that accepts credit card payments.

PCI offers a tangible framework for merchants to identify and address payment card data threats and vulnerabilities that could lead to a breach. It holds merchants accountable for securing their business environment and for business policies (or lack thereof) and employees’ actions that lead to a data breach.

The PCI council isn’t equipped to check into every business to make sure PCI regulations are being met, but the consequences of non-compliance can be grave. If a breach occurs and it’s determined that the business was not compliant at that moment, it will face hefty fines and fees as well as reputational damage and customer attrition.

PCI compliance requirements

There are 12 over-arching requirements for PCI compliance:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

The PCI compliance levels

There are four levels, or tiers, of PCI compliance that merchants are organized under based upon their card transaction volume (credit, debit, and prepaid) over a 12-month period. If a merchant suffers a breach that results in account data compromise, they may be escalated to a higher level of compliance.

Read on to identify which PCI compliance level applies to your business as for July of 2019, and the steps you may need to take to achieve compliance.

Level 1 merchants

Level 1 merchants process over 6 million card transactions annually through all channels (card present, card not present, eCommerce). Also, any global merchant that processes a total of 6 million transactions across all regions may cause the entire business to qualify.

Merchants who are considered Level 1 must do the following:

  • Complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
  • Complete quarterly network scans by an Approved Scanning Vendor (ASV)
  • Complete the Attestation of Compliance Form​

Level 2 merchants

Level 2 merchants process 1 to 6 million card transactions annually through all channels (card present, card not present, eCommerce.)

Merchants who are considered Level 2 must do the following:

  • Complete an Annual Self-Assessment Questionnaire (SAQ)
  • Complete a quarterly network scan by an ASV
  • Complete the Attestation of Compliance Form

Level 3 merchants

Level 3 merchants process 20,000 to 1 million card transactions annual exclusively via eCommerce processing methods.

Merchants who are considered Level 3 must do the following:

  • Complete an Annual SAQ
  • Complete a quarterly network scan by an ASV
  • Complete the Attestation of Compliance Form

Level 4 merchants

Level 4 merchants process up to 1 million card transactions annually through all channels (card present, card not present, eCommerce) and do not process more than 20,000 card transactions annually exclusively via eCommerce. Alternatively a merchant processing less than 20,000 card transactions annually exclusively via eCommerce will qualify for Level 4 status.

Merchants who are considered Level 4 must do the following:

  • Complete an Annual SAQ
  • Complete a quarterly network scan by an ASV
  • Complete the Attestation of Compliance Form

Determining your merchant level

Merchants can determine their PCI compliance level by consulting their merchant services provider or using their provider’s reporting tools. Level 1-3 merchants have more complex compliance requirements because of the size and nature of their business. They are also more likely to have internal IT and compliance teams to implement and monitor their compliance programs.

Most merchants who identify as small- or medium-sized businesses fall under the level 4 category. While the compliance requirements may be somewhat simpler, these merchants often find it more challenging to meet the requirements if they not have internal IT infrastructure.Fortunately, providers like Worldpay offer PCI compliance assistance products that make the process more affordable for Tier 4 merchants.

About the Self-Assessment Questionnaire (SAQ)

The SAQ a merchant must complete depends upon how they accept card payments. For example, SAQ-A applies to card-not-present (eComm or MOTO) merchants that do not store, process, or transmit cardholder data on their systems of premises. Merchants that use a standalone, dial-out terminal and have no electronic data storage need to complete SAQ-B. Contact your payments provider or refer to the PCI SSC if you are unsure about which form to complete.

Maintaining PCI compliance

PCI compliance is not a one-time event— it requires ongoing effort. As a business owner, much of this effort rests on you. Focusing only on an annual compliance assessment can create a false sense of security. According to the PCI SSC, security controls deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date. 

Once you’ve achieved compliance, it’s important to implement practices to maintain your compliant status. Here are some things you can do:

  1. Maintain secure computer networks by segmenting systems, using firewalls, and prohibiting internet usage on the POS for anything but payment processing
  2. Conduct regular security checks and maintain a vulnerability management program that includes keeping anti-virus software updated and External Network Vulnerability Scans
  3. Require monthly password updates, and make sure passwords are unique and that staff do not share passwords
  4. Perform system access audits and ensure staff have the lowest levels of access necessary to perform their job tasks
  5. Implement employee training regarding PCI and data security best practices
  6. Create and maintain a security policies and procedures document that includes the details listed above as well as other activities to protect payment and cardholder data

Don’t leave your PCI compliance to chance

The ability to accept card payments is a privilege, not a right. Achieving and maintaining PCI compliance is the best way to protect your business and your right to accept card payments.

For more information achieving and maintaining your PCI compliance level, check out the PCI Security Standards Council website, and contact your payment processing partner.