PCI Level 1 compliance is the highest level of PCI compliance required for organizations that process the most credit card transactions per year. It involves implementing all of the PCI DSS controls, then working with a PCI-certified third-party assessor to verify your security.
Are you working toward PCI compliance? Schedule a free consultation today!
PCI Level 1 Compliance, Explained
PCI Level One compliance refers to the highest standard of Payment Card Industry (PCI) Data Security Standard (DSS) certification. It requires the most stringent assessment, and it’s reserved for organizations that process the most CHD on an annual basis.
To fully comprehend what PCI Level 1 compliance means, you’ll need to understand:
- The leveling system used by SSC stakeholders
- The framework all organizations need to implement
- The specific assessment requirements at Level 1
Achieving and maintaining PCI compliance at Level 1 requires working with an outside assessor. Working with a PCI advisor can help you prepare for compliance at any Level.
What Are the PCI Compliance Levels?
Compliance levels for the PCI DSS are categories that organizations fall into based on the amount of sensitive cardholder data (CHD) they process. The PCI Security Standards Council (SSC) manages several regulations that ensure credit card transactions and related CHD are secure, and the DSS is one of the most wide-reaching. It applies to all organizations that collect, store, process, or otherwise come in contact with CHD. All such companies need to implement the same security controls, but their assessment requirements differ based on their Level.
In a nutshell, PCI Levels determine what kind of assessment report you need to comply.
PCI Levels and Thresholds for SSC Stakeholders
PCI Levels are determined by the SSC Founding Members (Mastercard, Visa, American Express, JCB International, and Discover). Each Level’s metrics are slightly different, but they follow the same pattern: Level 1 sees the most transactions and requires the most security assurance.
For example, consider Visa’s PCI DSS compliance Levels for Merchants:
- Level 1 – Merchants that process over six million transactions annually across all channels or global merchants otherwise determined by Visa to qualify for Level 1.
- Level 2 – Merchants that process between one and six million transactions annually.
- Level 3 – Merchants that process between 20 thousand and one million transactions annually, specifically across e-commerce channels—irrespective of other channels.
- Level 4 – Merchants that process fewer than 20 thousand e-commerce transactions annually or up to one million total Visa transactions annually (across all channels).
Mastercard’s PCI Levels are nearly identical. In fact, several of them reference Visa’s levels, which means an organization may qualify as Level 2 for Mastercard by way of Visa’s specs.
In some cases, the Levels and requirements also differ for Merchants and Service Providers. The SSC makes different reporting templates available to satisfy individual Founding Members’ requirements across these categories. In all cases, the general pattern is the same: the more transactions your organization handles, the more security assurance you need to provide.
Request a Consultation
PCI Framework Implementation for All Levels
Regardless of PCI compliance Level, all organizations need to implement the same framework controls. The DSS, updated in 2022 to version 4.0, comprises 14 Requirements spread across six priorities. Each Requirement breaks down into several sub-requirements, including specific controls needed to meet the security objective(s) it details. Within these specifications, there are supplemental controls applicable to Service Providers only. But beyond this distinction, unless otherwise specified, all organizations at all PCI Levels need to implement all DSS controls.
Building and Maintaining Secure Networks and Systems
The first two DSS Requirements concern baseline configurations that form the foundation for all other segmentation, monitoring, and control infrastructure. They break down as follows:
- Requirement 1 – Installing and maintaining network security controls
-
-
- 1.1: Define mechanisms to install and maintain network controls
- 1.2: Configure and maintain Network Security Controls (NSCs)
- 1.3: Restrict access to the cardholder data environment (CDE)
- 1.4: Control connections between trusted and untrusted networks
- 1.5: Mitigate risks from devices connected to untrusted networks
-
- Requirement 2 – Applying secure configurations across system components
-
- 2.1: Define mechanisms for applying secure configurations to systems
- 2.2: Configure and manage systems and components securely
- 2.3: Configure and manage wireless environments securely
PCI implementation, at any Level, starts with meeting these baseline specifications.
Protecting Account Data
The next pair of Requirements dives more deeply into the specific scenarios in which CHD needs to be protected, along with the methods best suited to them. It includes the following:
- Requirement 3 – Protecting Stored account data
-
-
- 3.1: Define mechanisms for protecting stored data
- 3.2: Minimize the amount of account data stored
- 3.3: Do not store sensitive authentication data (SAD)
- 3.4: Restrict access to primary account numbers (PANs)
- 3.5: Secure all PANs wherever they are stored
- 3.6: Secure cryptographic keys related to account data
- 3.7: Define and implement secure key management processes
-
- Requirement 4 – Encrypting CHD for transmission on open networks
-
- 4.1: Define mechanisms for encrypting CHD for transmission
- 4.2: Employ strong cryptography on CHD in transmission
Regardless of where CHD is in your ecosystem, it needs to be safeguarded. But the controls you rely on for safe CHD storage may not suffice for transport. Be sure to prepare accordingly.
Maintaining Vulnerability Management
These two Requirements concern monitoring for, identifying, and analyzing vulnerabilities to generate threat intelligence. They facilitate swift and complete mitigation when risks arise:
- Requirement 5 – Protecting systems and networks from malware
-
-
- 5.1: Define mechanisms for protecting against malware
- 5.2: Prevent malware or detect and address it
- 5.3: Maintain and monitor anti-malware mechanisms
- 5.4: Protect users against phishing and social engineering
-
- Requirement 6 – Developing and maintaining secure software
-
- 6.1: Define mechanisms for maintaining secure systems and software
- 6.2: Develop bespoke and customized software securely
- 6.3: Identify and address security vulnerabilities
- 6.4: Protect public-facing web apps against attacks
- 6.5: Manage changes to system components securely
Effective risk management is proactive. To protect CHD, you’ll need to build the infrastructure that stops threats in their tracks before they materialize into full-blown attacks or incidents.
Implementing Access Control Measures
The biggest grouping of Requirements governs access control, or processes for authenticating users’ identity for access to CHD and systems containing CHD. They break down as follows:
- Requirement 7 – Restricting access to CHD by business need to know
-
-
- 7.1: Define mechanisms for access restriction based on business need
- 7.2: Define and assign access to system components appropriately
- 7.3: Employ an access control system to restrict and manage access
-
- Requirement 8 – Identifying users for access to system components
-
-
- 8.1: Define mechanisms for user identification and authentication
- 8.2: Manage user account information throughout account lifecycles
- 8.3: Establish and manage strong authentication credentials
- 8.4: Require multi-factor authentication (MFA) for access to the CDE
- 8.5: Configure MFA systems securely to prevent misuse
- 8.6: Control the use of systems related to authentication factors
-
- Requirement 9 – Restricting physical access to CHD
-
- 9.1: Define mechanisms for physical access restriction
- 9.2: Manage entry into facilities and systems containing CHD
- 9.3: Authorize and manage physical access for personnel and visitors
- 9.4: Secure the storage, distribution, and destruction of media containing CHD
- 9.5: Protect point of interaction (POI) devices against unauthorized use
Collectively, these measures prevent sensitive data from falling into the wrong hands. MFA also layers the protection so that CHD may remain safe even if account credentials are breached.
Monitoring and Testing Network Security
These Requirements detail what assessments should look like to guarantee security controls are functioning as expected and an organization is prepared for an incident. They include:
- Requirement 10 – Logging and monitoring system components and CHD
-
-
- 10.1: Define mechanisms for monitoring and logging CHD systems
- 10.2: Implement audit logs to support anomaly detection and forensic analysis
- 10.3: Protect audit logs from destruction and unauthorized access or changes
- 10.4: Review audit logs for anomalies or other signs of suspicious activity
- 10.5: Maintain availability of audit log history for historical analysis
- 10.6: Implement time-synchronization to ensure consistent timekeeping
- 10.7: Detect, report on, and respond to failures of security systems
-
- Requirement 11 – Regularly testing network and system security
-
- 11.1: Define mechanisms for regular testing of security systems
- 11.2: Identify and monitor wireless access points; address unauthorized points
- 11.3: Identify, prioritize, and address external and internal vulnerabilities regularly
- 11.4: Perform external and internal penetration tests and correct weaknesses
- 11.5: Detect and respond to network intrusions and unexpected changes
- 11.6: Detect and respond to unexpected changes on payment pages
Depending on the SSC stakeholder you’re working with, your Requirement 11 needs may differ slightly. For example, you may need to conduct pen tests more or less frequently. A readiness assessment with your PCI advisor will help you scope and implement monitoring as needed.
Maintaining Information Security Policies
Finally, this Requirement codifies the formal documentation needed for policies and procedures to protect CHD. It is the only category with one Requirement, but all other Requirements’ first sub-requirements (i.e., 1.1, 2.1, etc.) relate to it. In turn, it also influences all the others—
- Requirement 12 – Supporting information security with formal policies
-
- 12.1: Maintain a comprehensive policy to govern and direct information security
- 12.2: Define and implement acceptable use policies for end-user technology
- 12.3: Identify, evaluate, and manage risks to CHD and the CDE
- 12.4: Maintain policies for PCI DSS compliance management
- 12.5: Maintain policies for documenting and validating PCI DSS scope
- 12.6: Provide ongoing security awareness and education programs
- 12.7: Screen personnel to minimize the likelihood of internal threats
- 12.8: Manage risks related to third-party service providers (TPSPs)
- 12.9: Ensure that TPSPs support their customers’ compliance
- 12.10: Respond to suspected and confirmed incidents immediately
Organizations seeking PCI compliance, especially PCI Level 1 compliance, might consider prioritizing this Requirement. Its top-down, catch-all governance streamlines all the others.
PCI DSS Assessment and Reporting for All Levels
Assessment is where PCI Level 1 certification differs from other Levels. Namely, organizations at Level 1 have a higher burden of proof they need to meet and different formal documents to submit. They work with PCI-vetted assessors to verify their compliance with DSS Requirements.
Here’s the breakdown of documentation required at each Level:
- Level 4 – Merchants and Service Providers must complete a Self Assessment Questionnaire (SAQ) annually. Additional verification may or may not be needed.
- Levels 3 and 2 – Along with the SAQ, organizations must submit an Attestation of Compliance (AOC) form. In many cases, external validation is required for the AOC.
- Level 1 – Organizations must conduct a more rigorous assessment annually with a Qualified Security Assessor (QSA) and submit a Report on Compliance (ROC).
These requirements vary depending on the SSC stakeholder you’re working with. For example, Visa specifies that an AOC form is required at Levels 2 and 3, whereas Mastercard stipulates that SAQs may suffice at Levels 2, 3, and 4. And, in some cases, organizations at Level 2 (but close to Level 1 thresholds) may need the ROC. However, Level 1 always requires the ROC.
Reports on Compliance and Qualified Security Assessors
The ROC requires rigorous, formal testing across all elements of an organization’s cybersecurity infrastructure. All Requirements, sub-requirements, and controls are assessed and documented in more granular detail than the SAQ calls for. Unlike AOCs, in which an outside assessor may verify an organization’s own findings, the ROC calls for the assessor to generate the findings.
ROCs are conducted almost exclusively by QSAs. QSAs are trained, vetted, and listed by the SSC and provide unparalleled insights into vulnerabilities and threats, especially internal ones.
In some cases, organizations may be able to conduct the ROC assessment internally through an Internal Security Assessor (ISA). However, QSAs are often preferred, as they are not subject to conflicts of interest that could cloud internal assessors’ judgment. Organizations may also work with PCI compliance advisors, independently of AOC or ROC reporting, to conduct readiness assessments. RSI Security offers tailored PCI advisory and QSA services.
Achieve and Maintain PCI Compliance Today
To recap, PCI DSS Level 1 compliance is the highest standard for CHD security, applicable to organizations that process the highest volume of credit card transactions annually. Like other Levels, it requires full implementation of the DSS Requirements. But it also requires a more strenuous assessment process to verify compliance, compared to other PCI Levels. Namely, you’ll need to work with a QSA—like RSI Security—to fill out the ROC form annually.
RSI Security is committed to helping organizations like yours achieve and maintain PCI Level 1 compliance. We lead with integrity and help your organization do the same with tailored PCI implementation, advisory, and assessment services. To learn more, contact RSI Security today!