pci compliance merchant level

The Payment Card Industry Data Security Standard (PCI DSS) outlines a set of requirements to help merchants secure payment card data against data breaches and card fraud. But, the requirements may not necessarily apply to all merchants equally.  The PCI merchant levels mandated by card brands like Visa and MasterCard help determine the level of risk exposure and ascertain the appropriate level of security for protecting card data.

These PCI Compliance levels determine the assessment and security validation required by merchants to pass the PCI DSS assessment. So, to ensure secure payment or customer data transmission, processing or storage the merchant will require to adhere to one of the four levels of PCI compliance established by the PCI Security Standards Council.

The four levels of PCI compliance are determined by the number of transactions the organization handles each year. Covering the details of each PCI Compliance levelsour article will work as a guide for those looking to determine their compliance levels to remain compliant.

PCI merchant levels

Level 1: The PCI Compliance level 1 applies to merchants processing more than six million credit or debit card transactions annually. Conducted by an authorized PCI QSA, they are required to undergo an internal audit every once a year and get Report on Compliance (RoC) from an authorized PCI QSA auditor. Moreover, once a quarter they are required to conduct network scans by Approved Scan Vendor (ASV).

For more information on the annual audit requirements, view our brief informative video here: PCI DSS Annual Audit Requirements

Level 2: Level 2 applies to merchants processing between one and six million credit or debit card transactions annually. They are also required to complete a yearly assessment called PCI SAQ (Self-Assessment Questionnaire). In addition to this, a quarterly PCI scan may also be required by the Approved Scan Vendor (ASV). Based on the business processes, there are different types of PCI SAQ.

Level 3: The PCI Compliance level 3 applies to merchants processing between 20,000 and one million credit or debit card transactions annually. They are also required to complete a yearly assessment called PCI SAQ (Self-Assessment Questionnaire). In addition to this, a quarterly PCI scan may also be required by the Approved Scan Vendor (ASV). Based on the business processes, there are different types of PCI SAQ. For more info on the sameview our brief informative video on PCI SAQ

Level 4:  This applies to merchants processing fewer than 20,000 debit or credit card transactions annually, or those that process up to one million real-world transactions They are also required to complete a yearly assessment called PCI SAQ (Self-Assessment Questionnaire). In addition to this, a quarterly PCI scan may also be required by the Approved Scan Vendor (ASV). Based on the business processes, there are different types of PCI SAQ.

Determining your merchant level

Merchants can determine their PCI compliance level by consulting their payment card services provider or using their reporting tools. Level 1-3 merchants have complex compliance requirements to deal with because of the size and nature of their business.

While merchants who are identified as small- or medium-sized businesses fall under level 4. For these merchants, the compliance requirements may be a bit simpler, but may however still find the process more challenging as they may not have the required resources and infrastructure. Fortunately, experts like us at VISTA InfoSec offer PCI compliance assistance and support to any size merchants be it small medium, or large to make their process of compliance simpler and affordable.

PCI Compliance Levels for Service Providers

Service providers are third-party vendors who assist merchants with the storage, processing or transmission of cardholder data. This way, they too are required to comply with PCI DSS requirements.PCI compliance is also applicable to those vendors who provide services and their controls have an impact the security of cardholder data directly or indirectly in some way.

So, similar to merchants, PCI Compliance to Service Providers are also determined based on their compliance levels. The compliance levels are based on the number of transactions they perform per year. There are only two levels of PCI compliance for service providers.

Level 1 – Level 1 applies to service providers that store, transmit, or process more than 300,000 credit card transactions annually. Achieving level 1 compliance enables the business to appear on Visa’s Global Registry of Approved Service Providers. Level 1 requires an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA). It also requires a Quarterly network scan conducted by an Approved Scan Vendor (ASV). Other requirements would include conducting a Penetration Test and Internal Scan. The requirements also call for an Attestation of Compliance (AOC) Form.

Level 2- Level 2 applies to Service Providers who store, transmit or process than 300,000 credit card transactions per year. It requires an Annual Self-Assessment Questionnaire and Quarterly network scan by an Approved Scan Vendor (ASV). Other requirements would include conducting a Penetration Test and Internal Scan. The requirements also call for an Attestation of Compliance (AOC) Form.

Conclusion

PCI compliance is definitely a complicated process and for all the good reasons. After all, it is the customer payment data that is at stake, and business dealing with it must at all costs ensure utmost security of the data.

Although PCI compliance may seem like a long, and tedious process, the risks of non-compliance can cost a fortune to the merchants. Not only would a data breach tarnish the reputation of your business, but also get you sued by Mastercard and Visa, and potentially any number of banks involved in it.

So, if you find the process too overwhelming, you can approach our experts at VISTA InfoSec to help you walk through the process and ease your journey of Compliance. We are international cybersecurity consulting service providers offering advisory services for industry Compliance and Regulatory requirements.

Having been in the industry for almost two decades and being a qualified PCI QSA, we have what it takes to guide merchants in the right direction. Our team of experts will make sure you are fully aware of PCI compliance standards, and assist you in achieving compliance for your business.

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.