What is PCI Compliance Level 1?

FAQs


PCI Compliance Level 1 is one of four PCI merchant compliance levels and two service provider levels established in effort to protect the security of credit card data and cardholder data, in e-commerce transactions as well as those conducted in-store. 

The Payment Card Industry Data Security Standard (PCI DSS) defines defines a “Level 1” merchant as one that processes at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit cards the merchant accepts. It is the highest, and most stringent, of the PCI DSS levels.

Merchants and service providers that have suffered a breach or cyberattack that resulted in the compromise of credit card or cardholder data also must meet Level 1 requirements– no matter their size or how many payment card transactions they process, store, or transmit.

PCI DSS, enacted in 2004, requires different actions from different entities based on the number and type of credit card transactions they process per year. 

The PCI Security Standards Council (PCI SSC) created compliance levels in acknowledgment that security risks to merchants, service providers, and their credit card data rise with the number of payment card transactions processed. The fewer the transactions, the lower the level–and the less organizations need to do to be PCI compliant. 

The criteria for merchant Level 1 depends on which payment card or credit card brands the merchant accepts:

  • Visa, Mastercard, and Discover define Level 1 merchants as those processing more than 6 million credit card transactions annually.
  • American Express’s minimum for Level 1 is 2.5 million transactions per year.
  • JCB’s Level 1 starts at 1 million credit-card transaction per year.

Merchants are not the only entity that must be PCI compliant. To accept payment cards, payment and internet service providers (ISP’s) also must demonstrate ongoing and continual security of their cardholder environment against data breach.

 

How Do Level 1 Merchants Comply with PCI DSS?

To comply with PCI DSS, Level 1 merchants and service providers must attain a yearly Report on Compliance from a Qualified Security Assessor (QSA) or Internal Security Assessor after an onsite audit. Those in levels 2, 3, and 4 may self-assess by filling out the PCI DSS Self-Assessment Questionnaire (SAQ) that the security standards council provides. A quality GRC software or service can make PCI compliance easier and more cost-efficient.

For merchants, Level 1 criteria and validation requirements are:

Criteria:  

  •       Processes more than 6 million Visa, Mastercard, or Discover transactions annually OR
  •       Processes more than 2.5 million American Express transactions annually OR
  •       Processes more than 1 million JCB transactions annually OR
  •       Has suffered a data breach or cyberattack that resulting in compromise of cardholder data OR
  •       Has been identified by another card issuer as Level 1

Requirements:

  •       Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor
  •       Quarterly network scan by Approved Scan Vendor (ASV)
  •       Submission of completed Attestation of Compliance form

In addition, merchants must report the results of their audit to their “acquiring bank,” defined by the SSC as an “entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.”

 

What is a Level 1 Service Provider?

Service providers are entities that process payments for, or provide services such as internet services to, merchants and acquiring banks. 

The criteria and validation requirements for Level 1 service providers are slightly different than for Level 1 merchants:

Criteria

  •   Stores, processes, or transmits more than 300,000 credit card transactions annually

Requirements

  •     Annual Report on Compliance by a Qualified Security Assessor
  •     Quarterly network scan by an Approved Scanning Vendor (ASV)
  •     Penetration Test
  •     Internal Scan
  •     Submission of completed Attestation of Compliance Form