A white belt in karate throws different kicks than a black belt. A chess master plays different openings than someone who just learned the rules of the game yesterday. There are levels to everything, and PCI compliance is no exception.
PCI (payment card industry) compliance refers to the standards that companies have to stick to in order to process payment information online. These best practices are collectively known as the Payment Card Industry Data Security Standard (PCI DSS), which was created by the PCI Security Standards Council (PCI SSC). It works to increase controls and protection around cardholder data while simultaneously reducing credit card fraud, so it’s always in a company’s interest to pursue this kind of compliance.
Doing so not only protects consumer data from being stolen and used to malicious ends, but it also helps preserve the reputations of companies that achieve this compliance. By taking the steps necessary to avoid cyberattacks, these companies are far less likely to find themselves at the center of a public relations disaster stemming from a data breach or security compromise.
Businesses pursue PCI compliance in order to protect themselves from breaches that would see their customers’ financial data and other personally identifiable information compromised. This concern is as real and present as it’s ever been as more than half of all small- and medium-sized businesses were compromised in 2018. That’s why it’s never been more critical for these companies to understand the steps necessary to achieve PCI compliance and protect their business, their customers, and their reputation.
But different companies will be beholden to different rules and processes in their pursuit of PCI compliance. That’s why it makes sense to start with an understanding of the four different levels of PCI compliance.
PCI levels refer to the number of online credit and debit transactions a company processes in a year
The PCI DSS was formed by major credit card companies working together to design a set of best practices for companies handling consumer data over the internet. They found that there’s no one-size-fits-all solution, but instead prescribe four different categories of PCI compliance that a company might fall into.
The PCI DSS levels at a glance:
- Level 1: over 6 million card transactions per year
- Level 2: between 1 and 6 million transactions per year
- Level 3: processes 20,000 to 1 million transactions in a year
- Level 4: processes less than 20,000 transactions per year
A company’s PCI level merely refers to how many transactions that company processes in a year. Merchants that process over six million transactions per year are designated level one. These are the big dogs of e-commerce, like Amazon and Alibaba. Those companies that process between one and six million per year are level two. If your business processes 20,000 to one million transactions in a year, that’s level three.
Anything less than that registers as level four.
What the different levels mean in practical terms
These levels determine how much assessment and security validation is called for an individual merchant to pass their PCI DSS assessment. With the exception of level one, everyone must complete a self-assessment questionnaire and conduct an external vulnerability scan every quarter by engaging an Approved Scanning Vendor (ASV). Merchants that register as level one must have data security assessments on site. It only makes sense to hold companies processing lots and lots of card data to a higher standard — the incentive to attack these companies is larger.
The three biggest categories — levels one through three — have to report their PCI compliance status directly to the banks they work with. Level four merchants process significantly less volume than the rest, so they should consult with their banks to see what they require. They may end up not needing to report at all, but there are still relevant rules left to cover.
Levels two, three, and four need an approved scanning vendor to conduct a compliance scan every quarter, and must furthermore supply an attestation of compliance (AOC) form. This merely means that these companies need a certified third-party auditor to visit their facilities at least four times a year in order to kick the tires on their payment processing infrastructure. New threats can emerge, new software and hardware updates can come out, and this auditor will be the specialist charged with making sure that everything is current. Level four merchants may not be subject to this process, but level one has to meet all these requirements and more.
In addition to all the above, level one merchants are accountable for submitting an annual compliance report to be filled out by a qualified security assessor (also known as a level one on-site assessment), or by an internal auditor if it’s signed by a company officer. For these companies that process six million or more transactions in a year, it may very well make sense for them to have a dedicated full-timer ensuring PCI compliance on a much more consistent basis.
Who needs to be PCI compliant?
PCI compliance can be deeply technical subject matter that doesn’t seem related to a company’s day-to-day operations, but these standards apply to every merchant, processor, and service providers that accepts, transmits, or stores cardholder data online, no matter how big they are. In 2019, this is an overwhelming majority of businesses.
If your company handles online payments but you don’t know what “PCI” refers to, take it as a sign to get educated. Ignorance of your PCI level is too closely related to noncompliance — if you don’t know your level, then you’re probably not paying enough attention to your data processing requirements. Thankfully there are a host of resources out there to help you level up and take control of how your business processes payments online, saving you from expensive noncompliance fees and protecting customer data at the same time.
So ask yourself a simple question: how many credit card transactions does my company process in a year? That’s the only question necessary in order to arrive at your PCI level, and with this essential data in hand, you’re in the perfect position to begin troubleshooting your PCI requirements.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.