4 PCI DSS Compliance Levels

4 PCI DSS Compliance Levels

Is your company collecting, using, storing, processing, or transmitting payment cardholder data? If that's the case, you've probably heard of PCI DSS, or Payment Card Industry Data Security Standard. The PCI DSS is a standard, developed by major credit card companies, that establishes particular rules for merchants and service providers to follow in order to safeguard payment cardholder data.

This is a tough criterion to meet, and guaranteeing PCI compliance is no easy effort, especially as the framework applies to businesses of different sizes and processing capacities. Within the PCI DSS (Payment Card Industry ​​Data Security Standard), there are four levels of standards for PCI compliance.

In this article, we’ll break down how these four compliance levels work, who they apply to, and how to meet PCI compliance within your organization. 

Understanding the 4 PCI DSS Compliance Levels

What is PCI DSS? 

The Payment Card Industry Data Security Standard (also known as PCI DSS) is a collection of security guidelines meant to guarantee that ALL businesses who accept, handle, store, or transmit credit card data do so in a safe manner.

On September 7th, 2006, the Payment Card Industry Security Standards Council (PCI SSC) was formed to oversee the continued advancement of the Payment Card Industry (commonly known as PCI) security standards, with an emphasis on strengthening payment account security throughout the transaction process. The PCI DSS is overseen and controlled by the PCI SSC, a non-profit organization founded by major credit card companies such as Visa and MasterCard. It's vital to highlight that it's the payment brands and acquirers, not the PCI council, who are in charge of ensuring compliance.

What are the 4 levels of PCI Compliance? 

PCI DSS applies to all enterprises that receive, transmit, or retain credit card data, regardless of their company size. PCI compliance is divided into four tiers, each of which is assessed by the number of Visa transactions a merchant executes within a given year:

• Merchant Level One - Any merchant processing more than six million Visa transactions per year, as well as any merchant determined by Visa to be at risk to the Visa system, must fulfill the Level One merchant standards.
• Merchant Level Two - Any retailer handling one million to six million Visa transactions each year.
• Merchant Level Three - Any merchant conducting 20,000 to one million Visa e-commerce transactions per year qualifies for this level.
• Merchant Level Four - Any merchant who processes fewer than 20,000 Visa e-commerce transactions per year and all other merchants who conduct between 20,000 and one million Visa transactions per year.

Based on Visa transaction volume over a twelve-month period, all merchants will be assigned to one of four merchant tiers. The total number of Visa transactions, including credit, debit, and prepaid, from a merchant Doing Business As (also known as "DBA") is used to calculate transaction volume. Visa acquirers must evaluate the aggregate amount of transactions stored, processed, or sent by the corporate entity when determining the validation level when a merchant company has more than one DBA. If data isn't aggregated, meaning a corporate entity doesn't store, process, or send cardholder data on behalf of several DBAs, acquirers will continue to base their validation level on the DBA's individual transaction volume.

How do these 4 levels impact compliance?

Various degrees of compliance have different requirements. Any company that comes under Level One must have an internal auditor conduct an annual on-site inspection and a network scan performed by an approved scanning provider. Businesses in Levels Two, Three, and Four must complete the PCI DSS Self-Assessment Questionnaire once a year and conduct quarterly network security checks with an approved scanning provider. The PCI website features this evaluation questionnaire.

Meeting PCI Compliance

Are you wondering how to meet compliance for the PCI DSS? If so, you have many options. We recommend implementing these tips and best practices into your existing compliance plan, regardless of the PCI DSS level your organization is at:

• Maintain a Vulnerability Management Program by utilizing anti-virus software and updating it on a regular basis.
• Secure systems and applications must be developed and maintained at all levels of the company.
• Implement effective access control measures by limiting cardholder data access to just those who have a business need-to-know. Each individual who has access to the computer should be given a unique ID.
• If at all feasible, limit physical access to cardholder data.
• On-premises network monitoring and testing should be done on a regular basis. All-access to network resources and cardholder data should be tracked and monitored. It's also a good idea to test security systems and processes on a frequent basis.
• Always have an Information Protection Policy in place that covers the security of data for both workers and contractors.
• Purchase and utilize only approved PIN input devices, as well as verified payment software, at your point-of-sale and on your internet shopping cart.
• Do not store sensitive cardholder data on computers or on paper for any reason.
• Ensure that your organization's wireless router is password-protected and employs encryption.
• To secure cardholder data, establish and maintain a firewall setup.
• For system passwords and other security settings, do not utilize vendor-supplied defaults.
• Encrypt the transfer of cardholder data across open, public networks to protect stored cardholder data.
• Check PIN entry devices and PCs on a regular basis to ensure that no malicious software or "skimming" devices have been installed.
• Teach your personnel about security and cardholder data protection, and provide them with frequent training.

In general, we would recommend working with a risk and compliance company like Accountable HQ to streamline your compliance processes and ensure everything is done correctly. PCI DSS compliance can be complex, so it’s best to trust the professionals.