Small or large, tech company or not, gathering customers’ payment card data is a standard part of conducting business today. Almost everyone pays by debit, prepaid, or credit card, and every card transaction uses the customer’s credit card information to process the purchase. Like it or not, the onus is on merchants to comply with the standards that keep this information safe.
That’s where the Payment Card Industry Data Security Standard (PCI DSS) comes in. However, not all PCI compliance levels are created equal. It’s essential to educate yourself on these levels so you can make an informed decision on which payment provider to choose.
TL;DR
- PCI DSS compliance is not optional. The onus is on merchants to comply with the standards that keep this information safe.
- The PCI Security Standards Council recognizes four levels of compliance based on the number of transactions an organization processes in a year.
- The consequences of non-compliance with PCI DSS can be severe. If you experience multiple data breaches, you could be facing multiple fines. Thankfully, credit card transactions require merchant services to be processed. The right payment processing partner is the simplest way to meet the requirements.
A Brief Background on PCI DSS Compliance
The PCI DSS is a set of requirements that organizations must follow to ensure the safety of stored cardholder data. This standard is managed by the PCI Security Standards Council (PCI SSC), which was founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
The requirements are divided into six categories, each designed to protect a different area of customer data:
- Build and Maintain a Secure Network: This category includes requirements for firewalls and other security measures to protect cardholder data from cyberattacks.
- Protect Cardholder Data: This category includes requirements for encrypting sensitive information and creating policies and procedures to prevent the misuse of data.
- Maintain a Vulnerability Management Program: This category includes requirements for identifying and addressing security vulnerabilities.
- Implement Strong Access Control Measures: This category includes requirements for restricting access to cardholder data and tracking user activity.
- Regularly Monitor and Test Networks: This category includes requirements for monitoring networks for suspicious activity and regularly testing security systems and processes.
- Maintain an Information Security Policy: This category includes requirements for developing and distributing a written information security policy.
Although the credit card companies jointly founded the PCI SSC, it’s important to know that each credit card company has its own program for ensuring compliance with the PCI DSS. MasterCard, for example, brands its program as “Site Data Protection” (SDP). All small business owners should review the individual credit card brand programs to meet their standards.
Regardless of the differences, one thing is universal: PCI DSS compliance is not optional.
Any organization that processes, transmits, or stores credit card data must comply with the standard. This includes eCommerce transactions and in-person brick-and-mortar businesses, and any organization that uses a third-party service to process credit card data on its behalf.
Understanding the 4 PCI DSS Compliance Levels
The PCI Security Standards Council recognizes four levels of compliance based on the number of transactions an organization processes in a year:
Level 1: >6 million transactions per year
Level 2: 1-6 million transactions per year
Level 3: 20,000-1 million transactions per year
Level 4: Fewer than 20,000 transactions per year
The requirements for each level are almost the same. The main difference is the number of requirements that must be met and the level of detail required in the documentation.
PCI Compliance Level 1:
Level 1 businesses must complete an annual Report on Compliance (ROC) documenting their compliance with all 12 PCI DSS requirements. The 12 requirements are:
- Implement the right firewall configurations to protect data
- Replace vendor-provided passwords
- Safeguard stored data
- Ensure that cardholder data is encrypted when transmitted across open, public networks
- Keep anti-virus software or programs updated regularly
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Ensure each person with computer access has a unique ID
- Restrict physical access to data
- Monitor access to network resources and cardholder data
- Regularly test security systems and processes
- Develop a policy for employees and contractors on how to protect data
In addition, Level 1 businesses must:
- Undergo an annual on-site assessment by a Qualified Security Assessor (QSA)
- Submit their ROC to the credit card brand they use for processing
- Complete annual penetration testing
- Be prepared to provide documentation of their PCI DSS compliance upon request.
PCI Compliance Level 2:
Level 2 businesses must complete an annual Self-Assessment Questionnaire (SAQ) documenting their compliance with all 12 PCI DSS requirements. The 12 requirements are the same as those for Level 1 businesses.
In addition, Level 2 businesses must:
- Undergo an annual on-site assessment by a Qualified Security Assessor (QSA), Internal Security Assessor (ISA), or Internal Auditor to be submitted to the acquiring bank
- Submit their SAQ to the payment brand they use for processing
- Be prepared to provide documentation of their PCI DSS compliance upon request.
PCI Compliance Level 3:
Level 3 businesses must complete an annual Self-Assessment Questionnaire (SAQ) documenting their compliance with 10 of the 12 PCI DSS requirements. The 10 requirements are:
- Implement the right firewall configurations to protect data
- Replace vendor-provided passwords
- Safeguard stored data
- Ensure that cardholder data is encrypted when transmitted across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Ensure each person with computer access has a unique ID
- Restrict physical access to data
- Track and monitor all access to network resources and cardholder data.
In addition, Level 3 businesses must:
- Undergo an annual network vulnerability scan by an Approved Scanning Vendor (ASV)
- Submit their SAQ to the credit card brand they use for processing
- Be prepared to provide documentation of their PCI DSS compliance upon request to the acquirer.
PCI Compliance Level 4:
Level 4 businesses must complete an annual Self-Assessment Questionnaire (SAQ) documenting their compliance with all 12 PCI DSS requirements. The validation requirements are the same as those for Level 1 businesses.
In addition, Level 4 businesses must:
- Submit their SAQ to the credit card brand they use for processing
- Be prepared to provide documentation of their PCI DSS compliance upon request.
The table below summarizes the main differences between the PCI compliance levels:
| PCI Compliance Level | Documentation requirements | On-site assessment? |
| Level 1 | Detailed | Yes |
| Level 2 | Detailed | Yes |
| Level 3 | Less detailed | No |
| Level 4 | Less detailed | No |
As you can see, the main difference between the levels is the documentation requirements and whether or not an annual on-site assessment is required. Level 1 businesses have to meet all 12 PCI DSS requirements and provide detailed documentation, while Level 4 businesses only have to provide documentation for their compliance with all 12 PCI DSS requirements.
Regarding the Self-Assessment Questionnaire, there are a number of different types, from SAQ A to SAQ D, and various in between. These differ depending on the types of transactions most commonly accepted. For example, eCommerce businesses would have a different questionnaire for merchants who process mostly card-present in-person payments. The PCI SSC has a detailed document defining these differences.
What Happens if You Don’t Comply with PCI DSS?
The consequences of non-compliance with PCI DSS can be severe. If you are a Level 1 merchant and you experience a data breach, you could be fined up to $500,000 by the credit card brands. You may also lose your ability to process credit card payments, which could put you out of business.
If you are a Level 2-4 merchant and you experience a data breach, you could be fined up to $50,000 by the credit card brands. You may also lose your ability to process credit card payments, which could put you out of business.
It’s important to note that the fines are per incident, so if you experience multiple data breaches, you could be facing multiple fines.
How To Determine the Appropriate Merchant Level
To figure out the appropriate PCI DSS compliance level for your business, you will need to answer the following questions:
- Do you store credit card data?
- Do you transmit credit card data over public networks?
- Do you have more than 6 million credit card transactions per year?
If you answer “yes” to any of these questions, you must comply with PCI DSS. This means completing a Self-Assessment Questionnaire (SAQ), Attestation of Compliance Form (AOC), and quarterly network scan.
The Self-Assessment Questionnaire (SAQ) will help you determine the appropriate compliance level. But this is also easily answered by reviewing your credit card transactions. You need to know your transaction volume. How many credit card transactions does your business process in a year?
More than 6 million transactions is Level 1. Between 1-6 million transactions is Level 2. 20,000-1 million transactions per year is Level 3. And fewer than 20,000 transactions will make you Level 1.
How Service Providers Help Merchants Comply
Credit card transactions require merchant services to be processed. No merchant can do this without a payment processing partner. Thankfully, that means much of those compliance requirements are taken care of by your processor. Not you directly.
Your responsibility is to ensure the processor you’re working with is PCI compliant. The most efficient way to do that is by asking for documentation to confirm that they are. Once you have a PCI-compliant provider in place, you should have a contract that outlines their responsibilities to remain that way.
It’s also advisable to perform due diligence on your service providers to make sure they are actually complying. This includes things like reviewing their security policies and procedures, as well as their network security infrastructure.
Bringing Your Business Up to Standard
The bottom line is that PCI compliance is important for any business that processes credit card payments. By understanding the different levels of PCI compliance and how they work, you can ensure your business is compliant and avoid any negative consequences of non-compliance.
The right payment processing partner is the simplest way to meet the requirements, remain compliant, and focus instead on running your business. Small and medium businesses don’t have the luxury of large departments to oversee these checks and balances.
Selecting a credit card processing partner you trust is essential. You want to look for:
- A provider that uses the latest security technologies to protect your data.
- A provider who continually monitors their systems for vulnerabilities and takes action to fix them.
- A provider who is transparent about their compliance status and provides documentation to support their claims.
PCI compliance is a complex and ever-changing landscape. Your payment processor should be able to provide documentation at any time and answer any questions you have about their compliance status. If they can’t, it’s time to look elsewhere.
Stax is a PCI-compliant payment processing company offering merchants simple, transparent pricing, no contracts, and no hidden fees. Let us help you deliver first-class credit card payment solutions that save you money and keep you PCI-compliant. Contact our team today.
