The Payment Card Industry, or PCI, is under constant threat of fraudulent activity. In order to mitigate risk and build public trust, major payment card companies banded together to form the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council (PCI SSC) has evolved with time, but its objective remains the same: reduce occurrences of payment card fraud, protect businesses from costly mistakes, and ensure the safety of sensitive consumer information.
The PCI DSS requires any organization that processes payment card data to uphold certain security practices. However, these requirements do not always apply universally. The PCI SSC has established four levels of PCI compliance that determine how organizations must handle and report their payment card protocols:
- PCI Merchant Level 1: Merchants processing over 6 million card transactions per year.
- PCI Merchant Level 2: Merchants processing 1 to 6 million transactions per year.
- PCI Merchant Level 3: Merchants processing 20,000 to 1 million transactions per year.
- PCI Merchant Level 4: Merchants processing fewer than 20,000 transactions per year.
The four PCI DSS compliance levels are thus determined by the volume of each organization. No matter what merchant level an organization falls under, it’s important to prioritize PCI compliant hosting in all online payment scenarios.
Now that we’ve covered the basics of PCI compliance levels, let’s take a look at each merchant level and explore what’s needed in order to stay compliant.
PCI Merchant Level 1
PCI level 1 compliance is applicable to any merchants processing over 6 million card transactions per year. Examples of level 1 merchants tend to be large corporations operating in multiple regions. Like all levels, the transactions that count toward compliance occur in all channels, including card present, card not present, and eCommerce.
Out of the four PCI compliance levels, level 1 is the only class of merchants that requires a third-party auditor. An external audit will be performed by a Quality Security Assessor, also known as a QSA or an Internal Security Assessor. Designated by the PCI SSC, this auditor will perform a thorough, on-site review of an organization’s practices in order to ensure compliance.
Throughout their assessment, the designated QSA will define the scope of their audit, review an organization's paper trails and data storage, and make a determination on PCI compliance. The auditor will then detail their findings in a Report on Compliance (ROC).
In addition to the annual external audit, PCI compliance level 1 merchants are also required to complete network scans each quarter. These scans act as mini audits and are performed by Approved Scanning Vendors, or ASVs. Network scans tend to happen remotely and are not as exhaustive as an annual assessment.
Finally, level 1 merchants must complete an Attestation of Compliance form. Think of this form as the merchant’s chance to present their case in their own words. Unlike an external audit, an organization’s attestation will be compiled and completed by those within the company.
PCI Merchant Level 2
One step down on the scale of PCI DSS compliance levels is merchant level 2. This level contains any organization that processes 1 to 6 million transactions per year. Examples of level 2 merchants might include mid-size corporations or more regional small to mid-sized enterprises (SMEs) that have high transaction rates.
Level 2 merchants are required to submit an ROC, but it will not be the result of an external audit. Level 1 merchants are still the only tier required to have an external audit performed on-premise. Instead, level 2 merchants will file their report based on a Self-Assessment Questionnaire (SAQ).
While level 2 merchants will not be subject to an on-premises audit by a QSA, the SAQ will still take them through all the PCI compliance guidelines to ensure adherence to best practices. Level 2 organizations will also be subject to quarterly network scans performed by an ASV and must submit an Attestation of Compliance form.
Now that we’ve covered the top 2 PCI compliance levels, let’s take a look at merchants who process under 1 million transactions per year.
PCI Merchant Level 3
The third level of PCI compliance applies to merchants that annually process 20,000 to 1 million payment card transactions. Examples of level 3 merchants might include smaller corporations or more localized SMEs.
Level 3 merchants will not have to complete an external audit or submit an ROC. For their annual review, level 3 merchants will only be subject to the Self-Assessment Questionnaire.
However, like levels 1 and 2, level 3 merchants will still require quarterly network scans. They must also file an Attestation of Compliance form. As you will see, these two requirements will remain unchanged for all PCI compliance levels.
PCI Merchant Level 4
What about the smallest of organizations? Does someone who only processes a few card transactions a year have to submit to some of the same practices as big business? The answer is yes. Even if you process very few payments, your organization must still show PCI compliance.
PCI merchant level 4 applies to any organization processing fewer than 20,000 transactions per year. This PCI compliance level is the umbrella under which most small businesses fall. The requirements for compliance are essentially the same as level 3:
- Complete and file a Self-Assessment Questionnaire (SAQ).
- Perform quarterly network scans administered by an Approved Scanning Vendor (ASV).
- Complete and file an Attestation of Compliance form.
It is important to note, however, that not all self-assessments are the same. There are 8 different types of SAQs. The type of SAQ necessary for compliance is determined not only by volume of transactions but also by how you process those transactions (e.g., virtual payment terminals, outsourcing data processing, etc.).
How Do the Four Levels Impact PCI DSS Compliance?
The four PCI DSS compliance levels are meant to create an efficient model for ensuring PCI security best practices. The merchant levels discussed above help the PCI SSC divide payment processors into manageable groups that can then be monitored based on their volume and transaction type.
Depending on the merchant level and the type of violation, many organizations run the risk of incurring PCI non-compliance fees anywhere from $5,000 to $500,000. Organizations should not only be complying with the level-based requirements detailed above, but they should also be taking proactive steps in-house to prevent any PCI compliance issues.
Meeting PCI Compliance
The PCI DSS came about when the major payment card companies established a council for reviewing payment processing practices that were leading to an uptick in fraud. To this day, PCI compliance remains an integral part of any business looking to build customer trust and avoid costly fines.
Whether your organization is a global corporation or a small business, it will fall under one of the four PCI compliance levels subject to annual and quarterly reviews. Much like maintaining HIPAA compliant hosting for web services, IT professionals can look to hosting providers to help ensure PCI compliance as well.
Take Another Step Toward Compliance With Fast, Reliable, No-Hassle PCI Compliant Hosting From Liquid Web
David Gibb is the Financial Controller at Liquid Web. He has over 20 years of experience working in Finance. He is a CPA in Canada, CGMA in the United Kingdom, and a CPA in Australia.
Keep up to date with the latest Hosting news.