David Gibb Data breaches can cripple even the most reputable organizations. That’s why businesses of all sizes that handle card payments are expected to comply with a set of standards known as PCI DSS (Payment Card Industry Data Security Standard).
PCI DSS compliance levels are four tiers that categorize businesses based on annual transaction volume. Level 1 applies to merchants processing over 6 million transactions annually. Level 4 applies to merchants processing fewer than 20,000 eCommerce transactions annually.
PCI DSS sets the benchmark for securing cardholder information, applying to any organization that processes, stores, or transmits payment card data. Think of it as a blueprint for safeguarding your business and your customers’ trust.
But what happens if you’re not compliant with PCI DSS? The risks are steep, leading to costly fines, legal consequences, and the devastating loss of customer confidence. A single breach could expose sensitive data, resulting in reputational damage and a long road to recovery. Not to mention the disruption to daily operations and potential revenue loss.
However, navigating PCI DSS compliance requirements can be overwhelming. What most businesses don’t realize is that not all PCI compliance requirements are created equal. Depending on your transaction volume and the sensitivity of the data you handle, you’ll fall into one of four specific PCI compliance levels. Understanding which level applies to your business is key to avoiding hefty fines, building customer trust, and keeping your reputation intact.
But don’t worry; this guide will break down the PCI compliance levels and show you exactly what your business needs to stay secure and compliant.
Key points
- PCI DSS has four compliance levels based on annual transaction volume.
- Level 1 requires an annual QSA audit for merchants processing over 6 million transactions.
- Levels 2, 3, and 4 use Self-Assessment Questionnaires for validation.
- Service providers have two compliance levels with different requirements.
- Liquid Web offers PCI-compliant hosting, expert guidance, secure data centers, and proactive security services to help businesses maintain PCI compliance.
The PCI DSS standard
The Payment Card Industry Data Security Standard (PCI DSS) is the global benchmark for securing payment card data, established by major credit card brands. Created in 2004, the PCI Security Standards Council (PCI SSC) developed this standard to address the growing concerns of data breaches and credit card fraud in an increasingly digital financial landscape.
As cybersecurity threats continue to evolve, PCI DSS provides a comprehensive framework that helps businesses of all sizes protect sensitive cardholder information. The standard is not a government regulation but an industry-mandated set of security requirements.
Compliance is effectively mandatory for any organization that accepts, processes, stores, or transmits credit card information. Non-compliance can result in significant consequences, including:
- Hefty financial penalties
- Potential termination of card processing privileges
- Increased liability in the event of a data breach
- Damage to business reputation and customer trust
The 4 PCI compliance levels explained
PCI DSS defines four merchant compliance levels based on annual card transaction volume. Each level has different validation requirements and security controls. Service providers have two compliance levels based on transaction volume.
The four PCI compliance levels are:
- Level 1: Highest compliance level
- Level 2: Mid-range transaction volume
- Level 3: eCommerce focused
- Level 4: Smallest transaction volume
Each level comes with different requirements to ensure adequate security measures are in place. Here is an overview:
Level 1: Businesses processing over 6 million card transactions annually
Level 1 PCI compliance applies to merchants processing over 6 million Visa or Mastercard transactions annually. Level 1 merchants require an annual on-site audit by a Qualified Security Assessor (QSA). Quarterly network scans by an Approved Scanning Vendor (ASV) are mandatory for Level 1.
PCI DSS Level 1 is the highest and most stringent compliance level for businesses that process payment card transactions. It applies to businesses that process over 6 million card transactions per year. A business may also be classified as Level 1 if it has been identified as such by any card provider or suffered a recent cybersecurity incident resulting in customer data loss.
Compliance with PCI DSS Level 1 includes:
- Validation: Annual on-site audit conducted by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA), which results in a Report on Compliance (ROC).
- Scanning: Quarterly network scans using an Approved Scanning Vendor (ASV).
- Testing: Annual penetration testing.
- Documentation: Completing and submitting an annual Attestation of Compliance (AOC) form to the PCI Security Standards Council.
Even businesses that don’t meet the Level 1 criteria may choose to adopt these stricter security measures to enhance their overall security posture and appeal to security-conscious partners and customers.
Level 2: Businesses processing 1 to 6 million card transactions annually
Level 2 PCI compliance applies to merchants processing between 1 million and 6 million transactions annually. Level 2 merchants must complete an annual Self-Assessment Questionnaire (SAQ). Service providers processing fewer than 300,000 transactions annually fall under Level 2.
PCI DSS Level 2 organizations must adhere to specific compliance verification requirements like:
- Validation: Completing a Self-Assessment Questionnaire (SAQ) each year.
- Scanning: Quarterly network scans conducted by a PCI SSC Approved Scanning Vendor (ASV).
- Documentation: Submitting an AOC form to validate adherence to PCI DSS standards.
To maintain PCI DSS Level 2 compliance, businesses must implement various security controls, including:
- Installing and maintaining firewalls.
- Encrypting cardholder data transmissions.
- Regularly updating anti-virus software.
- Implementing strong access control measures.
- Maintaining a vulnerability management program.
- Regularly monitoring and testing networks.
- Establishing a strong information security policy.
Level 3: Businesses processing 20,000 to 1 million eCommerce transactions annually
Level 3 applies to merchants processing 20,000 to 1 million eCommerce transactions annually. Level 3 merchants complete an annual SAQ and quarterly ASV network scans. An Attestation of Compliance form validates Level 3 compliance status.
This level is designed for small-to-medium businesses that have a significant online presence but don’t reach the transaction volumes of larger enterprises.
PCI DSS Level 3 merchants are required to adhere to specific compliance measures to ensure the security of cardholder data like:
- Validation: Completing an annual SAQ, which helps you evaluate your compliance with PCI DSS standards and identify any areas that need improvement.
- Scanning: Undergoing quarterly network scans by an ASV to detect potential vulnerabilities that could be exploited by cybercriminals.
- Documentation: Submitting an AOC form, which serves as a formal declaration of your compliance status and outlines your strategy for maintaining PCI DSS standards.
Level 4: Businesses processing fewer than 20,000 eCommerce transactions or up to 1 million card transactions annually
Level 4 applies to merchants processing fewer than 20,000 eCommerce transactions annually. Level 4 also includes merchants processing up to 1 million total card transactions annually. Level 4 merchants must complete an annual Self-Assessment Questionnaire.
? It’s important to note that these thresholds are specifically for Visa and Mastercard transactions. Other card brands like American Express, Discover, and JCB may have slightly different criteria for their lowest compliance levels.
While Level 4 businesses are subject to the same 12 core PCI DSS requirements as larger businesses, their validation and reporting processes are generally less rigorous:
- Validation: They typically need to complete an annual SAQ appropriate to their payment processing methods.
- Scanning: If involved in eCommerce, quarterly network scans by an Approved Scanning Vendor (ASV) may be required.
- Documentation: Some acquiring banks may require Level 4 merchants to submit an AOC form, though this is not always mandatory.
Level 4 merchants must maintain a secure network and systems. Cardholder data protection is mandatory for Level 4 compliance. Access to cardholder data must be restricted on a need-to-know basis.
While PCI DSS Level 4 has less stringent reporting requirements, it’s essential for these smaller merchants to maintain ongoing compliance to ensure the security of cardholder data and meet their acquiring bank’s expectations.
PCI compliance levels vs. service provider levels
Service providers have two PCI compliance levels based on transaction volume. Level 1 service providers process more than 300,000 transactions annually. Level 2 service providers process fewer than 300,000 transactions annually. Service providers must undergo annual assessments regardless of their level.
How to determine your PCI compliance level
Your PCI compliance level is determined by annual transaction volume across all payment channels. Visa and Mastercard transaction counts determine merchant compliance levels. Different card brands may have varying criteria for compliance levels.
Step 1: Calculate your annual transaction volume
Start by reviewing your annual credit card transaction volume. It’s essential to consider all the channels through which your business processes payments, such as online transactions, in-store purchases, mobile payments, and phone orders. This comprehensive assessment of your transaction volume will help you accurately determine which PCI compliance level you fall under.
For eCommerce businesses, the focus is specifically on online transactions. In contrast, if your business accepts payments through various channels, you’ll need to calculate the total number of all payment transactions for the year.
Step 2: Consider your business type and risk factors
Beyond transaction volume, the nature of your business and your history with data security breaches also play a role in determining your PCI compliance level. For instance, if your business processes a large number of transactions but primarily handles face-to-face payments, you might have different requirements compared to an eCommerce business of a similar size.
Moreover, if your organization has experienced a data breach or has been flagged as a high-risk merchant by card brands, you may be required to meet Level 1 requirements, even if your transaction volume is lower. Understanding these nuances can help you prepare for the compliance requirements your business will face.
Step 3: Review PCI DSS guidelines
The PCI Security Standards Council provides detailed guidelines on how to determine your compliance level. Review these guidelines thoroughly or consult with a PCI compliance expert if needed. The guidelines will help clarify what type of Self-Assessment Questionnaire (SAQ) you need to complete and whether you require third-party audits, such as an on-site assessment or vulnerability scanning.
Step 4: Contact your acquiring bank or payment processor
Your acquiring bank or payment processor plays a crucial role in determining your compliance level. They can provide insights into your transaction history and any specific requirements based on your business model. Banks and processors often require proof of PCI compliance annually, so it’s essential to stay in close communication with them.
Step 5: Regularly reassess your compliance level
Businesses grow, and transaction volumes change. Reassess your PCI compliance level annually or whenever there’s a significant change in your transaction volume or business model. This proactive approach will help you avoid falling out of compliance and facing potential penalties.
How to get PCI-compliant
The PCI DSS framework is built on 12 core requirements designed to protect cardholder data and maintain a secure payment environment. If you’re involved in storing, processing, or transmitting cardholder information, you’ll need to ensure your organization meets all the following requirements:
- Install and maintain a firewall to protect cardholder data. Firewalls control and monitor network traffic to safeguard sensitive information.
- Avoid using vendor-supplied default passwords and security parameters. Custom configurations help prevent unauthorized access.
- Protect stored cardholder data through encryption, masking, and other security measures to prevent unauthorized access.
- Encrypt transmission of cardholder data across open, public networks. Data encryption prevents hackers from intercepting sensitive information.
- Use and regularly update anti-virus software to protect against malware that could compromise cardholder data.
- Develop and maintain secure systems and applications. Implement patch management processes to address security vulnerabilities promptly.
- Restrict access to cardholder data by business need-to-know. This principle limits access to only those who require it to perform their job functions.
- Identify and authenticate access to system components. Use strong authentication methods like unique IDs and secure passwords to verify user access.
- Restrict physical access to cardholder data. Limit entry to systems that store sensitive information to authorized personnel only.
- Track and monitor all access to network resources and cardholder data. Maintain logs of system access and security events to detect suspicious activities.
- Regularly test security systems and processes through vulnerability scans and penetration testing to identify and resolve potential weaknesses.
Maintain a policy that addresses information security. Develop and enforce a comprehensive security policy that includes security protocols, employee training, and ongoing monitoring.
PCI compliance for service providers
When it comes to PCI compliance, the focus often falls on businesses that directly handle card payments from customers. However, service providers, such as payment processors, hosting companies, and IT vendors, play an equally critical role in maintaining a secure payment ecosystem. If your business relies on third-party services to store, process, or transmit payment card data, it’s essential to understand their role in PCI compliance and the responsibilities they carry.
Service providers are subject to similar PCI DSS requirements as merchants but with a few distinctions based on their operational roles. The compliance levels for service providers are determined primarily by the number of transactions they handle on behalf of their clients:
- Level 1 service providers: Those processing more than 300,000 transactions annually. They must undergo an annual on-site audit conducted by a Qualified Security Assessor (QSA) and submit a Report on Compliance (RoC).
- Level 2 service providers: Those handling fewer than 300,000 transactions annually. They can complete a Self-Assessment Questionnaire (SAQ) and submit it alongside quarterly vulnerability scan results.
Regardless of their compliance level, service providers must also implement the 12 core PCI DSS requirements to protect cardholder data. This includes encryption, secure configurations, regular monitoring, access controls, and vulnerability management.
Why working with PCI-compliant service providers matters
The risks of partnering with a non-compliant service provider are significant. If your service provider is not PCI-compliant and a data breach occurs, your business could be held liable for damages, face costly fines, and suffer reputational damage. Even if your own systems are secure, a breach at a third-party provider can still compromise your customers’ data and put your business at risk.
That’s why choosing PCI-compliant service providers like Liquid Web is necessary. When all parties in the payment ecosystem adhere to PCI DSS requirements, the overall security posture is strengthened, reducing the risk of breaches and data theft.
“Service providers must go beyond simply meeting PCI DSS requirements by actively maintaining robust security measures such as real-time monitoring, vulnerability management, and encryption of sensitive data. At Liquid Web, we emphasize the importance of selecting compliant third-party vendors, as any data breach within the service provider ecosystem could directly impact the merchant’s compliance status and result in severe penalties.”
Luke Cavanagh, Strategic Support & Accelerant at Liquid Web.
Achieve PCI compliance effortlessly with Liquid Web
By understanding the four PCI compliance levels, taking proactive steps to secure your systems, and choosing the right hosting partner, you can protect your business and build customer trust.
Liquid Web is your strategic partner in achieving and maintaining PCI compliance. Their secure, scalable, and fully managed hosting solutions, combined with expert guidance and proactive monitoring, empower you to meet PCI DSS requirements with ease.
Don’t leave your business vulnerable. Partner with Liquid Web for secure PCI-compliant hosting that keeps you ahead of threats!