Levels of PCI Compliance

Levels of PCI Compliance

Do you know what level your business falls under to meet PCI compliance?

While the 12 PCI compliant requirements are dictated by the PCI Security Standards Council (PCI SSC), compliance is enforced by the credit card issuer companies, including Visa, MasterCard, American Express, Discover and JCB International.

PCI DSS is made of 6 goals with 12 main requirements, according to the PCI DSS Quick Reference Guide

In order to adhere to these rules, merchants must complete a self-assessment (specific to their transactional behavior) to understand where they are already adhering to PCI DSS and where there may be gaps.

Within the PCI DSS standards, there are 4 levels of PCI compliance. These levels are based on the annual number of transactions for any given merchant.

These are the four levels of PCI compliance as mandated by the card issuers Visa and Mastercard, with definitions according to the volume of credit card transactions per year:

  • PCI Compliance Level 1
    Over 6 million Visa and/or Mastercard transactions processed per year
  • PCI Compliance Level 2
    1 million to 6 million Visa and/or Mastercard transactions processed per year
  • PCI Compliance Level 3
    20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year
  • PCI Compliance Level 4
    Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year

What do these levels of PCI compliance mean?
Companies that meet Level 1 must have yearly on-site reviews by an internal auditor and a required network scan by an approved scanning vendor. A full list of approved scanning vendors (ASV) and contact information is available online from the PCI Security Standards Council.

Any companies that meet PCI compliance Levels 2, 3 or 4 must complete the PCI DSS Self Assessment Questionnaire annually and undergo quarterly network security scans with an approved scanning vendor.

What happens if you breach a PCI compliance level requirement? 
Visa makes your life a bit harder by reserving the right to change your level standards to a stricter level, regardless of the number of transactions processed per year. For example, if you are classified as meeting Level 4 compliance, you must now abide by Level 1 requirements.

Working with a PCI compliant hosting provider can help you understand where your company currently stands and how to meet PCI compliant level requirements.

Levels 2, 3 and 4 all have the same validation requirements – yearly self-assessment using the PCI SSC self-assessment questionnaire, a quarterly network scan by an approved scanning vendor (also available through PCI SSC), and an attestation of compliance form.

Given the higher level of transactions associated with level 1, the validation requirements are a bit more stringent.

Level 1 Service Provider

These are service providers that store, process, or transmit more than 300,000 credit card transactions annually.

PCI Requirements

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
  • Quarterly network scan by Approved Scanning Vendor (ASV)
  • Penetration Test
  • Internal Scan
  • Attestation of Compliance (AOC) Form

WHOA.com is a Level 1 Service Provider and we have been tested under the latest 3.2 regulation standards.

For PCI level 1 compliance, the merchant is required to have yearly assessments of compliance by a Qualified Security Assessor(QSA), in addition to the requirements for levels 2, 3, and 4.

The yearly compliance assessment will consist of a number of steps by the QSA, including an examination of your point of sale (POS) system, a detailed review of areas of vulnerability, and a prioritized list of improvements to make to prevent attacks. Your job once the assessment is over (if you haven’t done this already) is to develop security protocols that will monitor your systems for compliance going forward.

Though this may seem like a long, arduous process, the risks of remaining noncompliant are astronomical. Not only would a customer card data breach tarnish the reputation of your business, you could also expect to be sued – not by PCI SSC, but by Mastercard and Visa, and potentially any number of banks.

Target’s data breach resulted in a payment of $39M to a handful of US banks that service Mastercard, and settled with Visa for $67M. And that doesn’t even count the class action lawsuit filed directly by Target customers, which Target settled for $10M.

The best place to start if you’re new to PCI compliance (or even just level 1) is the PCI Security Standards Council website. There you’ll find tons of resources and PCI SSC-approved vendors.

PCI compliance is definitely a complicated process – and with good reason. Customer payment data is at stake, and any business wishing to use it must do the utmost to protect that data. If the process is too overwhelming to take on yourself, find a PCI compliant vendor to help walk you through it. But even so, make sure you are fully aware of PCI compliance standards, as your business is ultimately responsible.

For information on how to get started, contact WHOA