Understanding the PCI Levels of Compliance

Written by

Understanding the PCI Levels of Compliance

While every merchant and service provider that processes, stores, or transmits credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), not all must travel the same path to PCI compliance.

The amount of risk an organization faces depends on a variety of factors. Recognizing these differences, the PCI Security Standards Council developed four compliance levels for merchants and two for service providers. The level an enterprise belongs depends upon:

  •     How many credit card transactions it processes in a year, and 
  •     Whether it has suffered a breach or cyberattack resulting in compromise of credit card or cardholder data.

The entities with the most stringent and complex requirements for validation of PCI DSS compliance are those that process the highest number of credit card transactions or have experienced a data breach. These merchants and service providers belong to Level 1.

Those processing the least transactions belong to Level 3 or 4 (for merchants) or Level 2 (for service providers). An entity’s designated level depends partly on which credit card or cards they accept. Some cards have no Level 4 or even a Level 3. The PCI council established only two levels for service providers.

Entities at lower levels (3 and 4) may expend much less effort and expense to become PCI compliant than higher-tiered organizations, unless their acquiring bank—the bank that processes their credit-card transactions—requires more from them.

 

What is PCI DSS? 

PCI DSS is a security framework developed to safeguard credit card and cardholder data against breach and other forms of unauthorized access. It was issued in 2004 by the PCI Security Standards Council, which comprises financial institutions, merchants, processor companies, software developers, and point-of-sale vendors.  

All merchants and payment or internet service providers that process, store, or transmit credit card data must be PCI compliant—no matter which compliance level they belong to. Otherwise, they face strict penalties including fines and possible loss of credit card privileges.

Credit-card brands that participate in and enforce PCI DSS are Visa, Mastercard, Discover, American Express, and JCB.

The PCI Compliance Levels

Here’s an overview of the PCI Compliance Levels’ criteria and validation requirements for merchants and service providers.

Merchant Level One

Criteria:  

  •       Processes more than 6 million Visa, Mastercard, or Discover transactions annually OR
  •       Processes more than 2.5 million American Express transactions annually OR
  •       Processes more than 1 million JCB transactions annually OR
  •       Has suffered a data breach or cyberattack that resulting in compromise of cardholder data OR
  •       Has been identified by another card issuer as Level 1

Requirements:

  •       Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor
  •       Quarterly network scan by Approved Scan Vendor (ASV)
  •       Submission of completed Attestation of Compliance (AOC) form

This highest and most stringent of the PCI DSS compliance levels is the only level to require a full, on-site audit every year. As a result, to become PCI compliant typically takes Level 1 merchants about two years.

In addition, merchants must report the results of their audit to their “acquiring bank,” defined by the SSC as an “entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.”

Merchant Level Two

Criteria:

  • Processes 1 million to 6 million Mastercard, Discover, or Visa transactions per year OR
  • Processes 50,000 to 2.5 million American Express transactions annually OR
  • Processes fewer than 1 million JCB transactions annually AND
  • Has not suffered a data breach or attack that compromised card or cardholder data

Validation Requirements:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor
  • Attestation of Compliance Form

At Level 2, merchants do not necessarily need an on-site audit unless they have suffered a data breach or cyber attack that compromised credit card or cardholder data. Also, a Level 2 merchant’s acquiring bank may require an audit and ROC.

Otherwise, Level 2 merchants may self-report by filling out and submitting a Self-Assessment Questionnaire. They also need to have their networks scanned quarterly by an Approved Scan Vendor—because PCI DSS compliance, like data security, is not a one-and-done endeavor but a continual process.

Completing the SAQ can be a lengthy process in itself—a year or more—with as many as 281 PCI DSS directives to address. Most organizations work to narrow the scope of their audit or assessment to save time and expense.

Merchant Level 3

Criteria:

  • Processes between 20,000 and 1 million Visa e-commerce transactions annually OR
  • Processes 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually OR
  • Processes between 20,000 and 1 million Discover “card-not-present” (e-commerce)  transactions annually OR
  • Processes fewer than 50,000 American Express transactions annually AND
  • Has not suffered a data breach or cyber attack that compromised card or cardholder data

Note that card provider JCB has no Level 3. All merchants processing fewer than 1 million JCB transactions per year qualify as Level 2 merchants.

Validation Requirements:

The validation requirements for a Level 3 merchant are the same as those for Level 2 merchants:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by an Approved Scan Vendor
  • Attestation of Compliance form

Although Level 2 and 3 merchants are not usually required to commission an on-site audit or obtain a ROC, some may choose to do so to boost their business profile or ensure that their cardholder data environment is completely secure.

Merchant Level 4

Level 4 is the lowest PCI merchant compliance level established by Visa and Mastercard.

Criteria:

  •   Processes fewer than 20,000 Visa or Mastercard e-commerce transactions per year OR
  •   Processes up to 1 million total Visa or Mastercard credit card transactions AND
  •   Has not suffered a data breach or attack that compromised card or cardholder data.

Neither Discover, American Express, or JCB has a Level 4 designation. Discover and American Express stop at Level 3; JCB has just two merchant levels.

Validation Requirements:

Merchants that qualify as Level 4 must achieve PCI DSS compliance by meeting their acquiring bank’s requirements. Typically, banks require of Level 4 merchants:

  •   Annual Self-Assessment Questionnaire (SAQ)
  •   Quarterly network scan by an Approved Scan Vendor (ASV)

Service Provider Level 1

A service provider is an enterprise that processes, stores, or transmits cardholder data on behalf of another business, or that provides services that could affect cardholder data security. Those providing managed firewalls, intrusion detection systems, intrusion protection systems, data destruction services, and web hosting providers.

The criteria and validation requirements for Level 1 service providers are slightly different than for Level 1 merchants.

Criteria

  •   Stores, processes, or transmits more than 300,000 credit card transactions annually

Requirements

  •     Annual Report on Compliance by a Qualified Security Assessor
  •     Quarterly network scan by an Approved Scanning Vendor
  •     Penetration Test
  •     Internal Scan
  •     Submission of completed Attestation of Compliance Form

Service Provider Level 2

Criteria:

  •     Process, store, or transmit fewer than 300,000 credit card transactions per year

Validation requirements:

  •     Annual Self-Assessment Questionnaire
  •     Quarterly network scan by an Approved Scan Vendor
  •     Penetration test
  •     Internal scan
  •     Attestation of Compliance Form

Service providers who qualify as Level 2 may be asked by partners, clients, or other business partners to validate their PCI DSS compliance with an on-site audit by a Qualified Security Assessor or Internal Security Assessor and meet other, more stringent, Level 1 criteria. Also, they may opt to validate as a Level 1 provider to be included on Visa’s Global Registry of Approved Service Providers.

PCI DSS Compliance, Simplified

With 281 directives in 12 categories, PCI DSS can be a harsh taskmaster, especially if your enterprise uses old-fashioned spreadsheets to track and maintain compliance. And yet, failure is not an option: losing credit-card privileges might cripple or even destroy your business.

Fortunately, there is a better way. A quality solution such as ZenGRC can make PCI DSS compliance easier, faster, and more complete. Our unique Software as a Service provides “single source of truth” dashboards with overviews of your compliance and risk posture. ZenGRC has ready access to the documentation your auditor or self-assessor needs, easy-to-implement self-audits, and more.

Worry-free compliance and hassle-free audits are the Zen way. Contact a ZenGRC expert today and breathe easier, knowing the path to PCI DSS compliance will be smoother for your organization.

Tags: , ,
Categorized in: