PCI (Payment Card Industry) DSS (Data Security Standard) is a privately managed regulatory standard for the online payments sector.
PCI-DSS affects all organizations that accept credit card payments or process cardholder data. And PCI compliance failures can lead to large penalties – not to mention data breaches and litigation.
Companies covered by the regulations have different PCI-DSS compliance levels. Each level has its own requirements. Knowing the right level helps to reduce costs and protect data according to industry best practices.
For a more detailed introduction, check out our overview of what is PCI-DSS compliance. Continue reading to understand how PCI levels work and where your organization fits into the compliance picture.
Merchants vs. service providers
PCI-DSS is a flexible set of standards. The rules vary depending on the size and type of organization. It is important to assess which PCI compliance levels apply to your company. That way, you will know how to focus your compliance strategy and meet regulatory criteria.
PCI compliance levels recognize two organization types: merchants and service providers:
Merchants are businesses that receive payments from credit card companies belonging to the PCI Security Standards Council (PCI SSC). Council members include industry giants like Mastercard, Discovery, American Express, JCB International, and VISA. So if you accept online payments, you almost certainly fit into the merchant category.
Service providers are organizations that handle cardholder data but do not directly receive credit card data during customer transactions.
This category includes organizations that store, communicate, and process cardholder data. For example, it could include consultancies hired to analyze company finances. Providers could also host infrastructure used by merchants, or manage security services such as firewalls.
4 PCI DSS levels for merchants
PCI Level 1
PCI Level 1 includes all companies that process more than 6 million credit card transactions every year.
This level includes almost all major international retailers. Level 1 classification includes duties that are specific to that level.
Third-party audits. Businesses categorized as Level 1 must hire external auditors that employ a PCI-approved qualified security assessor (QSA). The PCI audit will review the organization's physical access policies and digital data security controls. They determine whether the organization is compliant.
Report on PCI Compliance. At the end of the audit process, companies receive a Report on Compliance (ROC). The ROC suggests areas of improvement and routes to achieve full PCI-DSS compliance.
Attestation of Compliance (AOC). Level 1 organizations must complete an AOC and provide it to the PCI-DSS SSC. The Attestation of Compliance describes the organization's compliance strategy. It complements the ROC and can explain specific security issues in greater detail.
Regular network scans. Level 1 organizations must carry out a quarterly network scan. Every quarterly network scan must be carried out by a third-party approved scanning vendor (ASV). ASVs will highlight vulnerabilities. Clients are expected to act on their recommendations and rectify any faults detected by network scans. Annual penetration testing is also recommended.
PCI Level 2
Level 2 organizations process between 1 million and 6 million cardholder transactions every year.
Security requirements for a Level 2 merchant are generally less complex than Level 1. However, Level 2 organizations must still carry out certain actions to ensure PCI compliance.
Self-assessment questionnaire. External audits are not usually required. But Level 2 companies must submit a written self-assessment questionnaire (SAQ) to the PCI-DSS Security Council. SAQs are available from the PCI SSC website and vary depending on the compliance needs of the organization involved.
Context-specific audits. In some cases, a Level 2 merchant may require an external audit. This applies if the organization has suffered a data breach or other cyber-attack in the previous year.
Reports on PCI Compliance. Level 2 companies must submit a ROC compliance form. However, this can be written in-house. External input is generally not needed.
PCI-DSS compliant controls. Every Level 2 merchant must prove it is PCI-DSS compliant. They must execute regular penetration and network testing by approved vendors. And their ROC must include evidence of robust data security practices.
PCI Level 3
A PCI-DSS Level 3 merchant processes between 20,000 and 1 million transactions every year.
Requirements at this level are similar to Level 2. In fact, JCB International does not recognize Level 3. It views all companies processing over 20,000 transactions as Level 2 organizations. Otherwise, Level 3 merchants must carry out:
Self-assessment questionnaires. Level 3 companies must submit SAQs, showing clear compliance with relevant PCI-DSS standards.
PCI-DSS compliant controls and testing. Companies must enlist approved vendors to carry out quarterly network scans. And they must take action to remedy any security vulnerabilities discovered by the ASV. Penetration testing is good security practice but is not a requirement for Level 3 merchants.
PCI Level 4
PCI-DSS Level 4 merchants are smaller organizations that process fewer than 20,000 transactions every year. Importantly, VISA categorizes every merchant processing up to 1 million transactions as Level 4.
A Level 4 merchant does not need to organize external audits or penetration testing. They also do not need to submit a ROC. The responsibilities of Level 4 merchants are much simpler. They include:
Quarterly network scans. Level 4 merchants must hire an ASV to scan their network four times a year.
Self-assessment questionnaires. The self-assessment compliance form is mandatory for all Level 4 organizations.
Attestation of Compliance. The AOC provides the PCI-DSS council with information about the merchant's compliance strategy and history of data breaches (if any).
2 Levels of PCI DSS for service providers
While merchants fall into four levels, there are only two PCI levels for service providers. And knowing how they differ is an important part of PCI compliance.
Otherwise, most service providers will fall into one of the following PCI levels.
Level 1 Service Provider
Level 1 service providers process more than 300,000 credit card transactions annually.
This category also applies to all providers processing more than 2.5 million American Express transactions.
Level 1 service provider requirements include:
External Audits. Providers must hire a qualified security assessor to carry out an annual data security audit. Findings must be presented in the form of a Report of Compliance.
Network scanning. Level 1 companies must hire ASVs to carry out quarterly network scans.
Penetration tests. Annual penetration testing is mandatory.
Attestation of PCI Compliance. All Level 1 organizations must complete an annual AOC and provide it to the PCI SSC.
Level 2 Service Provider
Level 2 service providers process fewer than 300,000 credit card transactions every year (for Visa, Mastercard, and Discovery).
This category also applies to companies processing fewer than 2.5 million American Express cardholder data transactions.
Responsibilities of Level 2 service providers include:
Self-assessment questionnaires. A self-assessment questionnaire must be completed by an internal security assessor every year. External input is not required.
Network testing. ASVs must scan networks four times every year. This includes local network vulnerability scans. Annual penetration tests are also mandatory.
Attestation of Compliance. Level 2 service providers must complete both a ROC and an AOC. This provides regulators with detailed information about the organization's data security posture.
There are some important exceptions. Terminal Services (TSs) are always classed as Level 2. Level 2 Visa processors can also choose to elevate their PCI compliance posture to Level 1 if desired. This entitles the organization to a place on Visa's registry of PCI-DSS-compliant service providers.
In practice, many Level 2 service providers choose to adopt Level 1 controls. This is because major commercial partners often demand tighter security measures and accreditation.
How do you determine an organization's PCI Level?
The costs and complexity of achieving PCI compliance vary at different levels.
Smaller organizations can waste valuable resources on audits they do not need. Growing organizations have different problems. They may need to reassess their compliance status and alter their PCI level accordingly.
Because of this, it is important to know how to determine the right compliance level.
Firstly, merchants must know the transaction levels for each credit card company they use. This matters because PCI-DSS compliance requirements can vary slightly between different partners.
Next, establish your annual transaction volumes with relevant credit providers. Merchants can usually discover the information they need by communicating with their bank. The bank will provide cardholder data volumes over the past 52 weeks.
Choose the provider with the highest compliance level as your reference point. For example, if your company is classed as a Level 2 Visa processor but is a Level 1 Amex processor, adopt Level 1 compliance practices.
Check the compliance requirements or the level in question. You may need to contact your payment partner to clarify specific rules. Now apply PCI guidelines and hire PCI-approved vendors to carry out any necessary audits.
Knowing your PCI-DSS level has many benefits. It lets you adjust your security controls to meet PCI standards. Robust compliance helps to minimize data breach risks and reassures customers. It allows merchants and service providers to operate securely and makes it much easier to work with commercial partners.