Softjourn

PCI Compliance Levels: A Complete Guide

Do you know which PCI compliance level you fall into? Our complete guide tells you everything you need to know about PCI DSS

October 13, 2020 by Softjourn

With the number of payment cards predicted to reach 17 billion globally by 20221, it's not surprising that cardholder data protection is getting a lot of attention. If your business handles cardholder data in any way, you need to know about PCI DSS compliance requirements.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an array of security standards created in 2004 by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is composed of major credit card companies (MasterCard, Visa, American Express, JCB International, and Discover Financial Services).

The council was formed in order to enhance control over cardholder data and ultimately reduce card fraud.

What is PCI Compliance?

A company is considered PCI compliant if it follows PCI DSS requirements at all times, and can efficiently protect cardholder data by maintaining a proper level of security over cardholder data. 

The level of PCI compliance and related validation requirements depend on a company's annual transaction volume.

The Benefits of PCI Compliance

A business that is PCI compliant assures customers that the security of their data and sensitive information is taken seriously. It’s a sure way to build a long lasting relationship with clients. 

Being PCI compliant also safeguards the company against malignant online scammers and fraud attempts.

The cost of being non-PCI compliant can be extremely high. It can seriously damage the reputation of the company, resulting in loss of customers, lawsuits, and fines from payment card issuers. 

PCI Compliance Levels and Requirements Explained

PCI compliance is divided into four levels that are assigned depending on the annual number of card transactions of a company. Each level has its own criteria that a business must follow in order to remain compliant.  

pci compliance transaction requirements per level

PCI Compliance Level 4 Criteria and Validation Requirements

Level 4 is considered the lowest level of compliance under PCI DSS. It applies to merchants who process fewer than 20,000 e-commerce transactions per year or up to one million Mastercard or Visa credit card transactions. These merchants shouldn't have encountered a data breach or attack which compromised cardholder data in any way.

Merchants who fall into this level can achieve PCI DSS compliance by meeting their acquiring bank’s requirements. 

Validation requirements:

  • Completed Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans conducted by Approved Scanning Vendor (ASV)

PCI Compliance Level 3 Criteria and Validation Requirements

Level 3 applies to merchants who process between 20,000 and one million e-commerce transactions annually. It’s important to mention that JCB International doesn’t have Level 3. All merchants who process fewer than one million JCB International transactions per year are Level 2 merchants.

Validation requirements:

  • Completed Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan conducted by an Approved Scan Vendor (ASV)
  • Attestation of Compliance form

PCI Compliance Level 2 Criteria and Validation Requirements

Level 2 applies to merchants processing between one and six million credit or debit card transactions annually, fifty-thousand to two million sales using American Express, and fewer than one million JCB International credit card transactions. 

Validation requirements:

  • Completed Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan conducted by an Approved Scan Vendor (ASV)
  • Attestation of Compliance form
  • Additionally, a quarterly PCI scan may be required

PCI Compliance Level 1 Criteria and Validation Requirements

Level 1 applies to merchants who process more than six million credit or debit card transactions annually. It also applies to merchants who have suffered a data breach that resulted in the compromise of cardholder data or who has been identified as Level 1 by another card issuer.

Validation requirements:

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor
  • Quarterly network scan conducted by an Approved Scan Vendor (ASV)
  • Submission of completed Attestation of Compliance form

PCI Compliance Levels and Requirements for Service Providers

Service providers usually assist merchants with the storage, processing, or transmission of cardholder data, which makes them beholden to PCI DSS. PCI compliance is also applicable for companies that provide services which control or could impact the security of cardholder data in some way. 

Similar to merchants, service providers also have different compliance levels based on the number of transactions they perform per year. There are only two levels of PCI compliance for service providers.

Level 2 Service Provider Criteria and Validation Requirements

Level 2 concerns service providers that process less than 300,000 credit card transactions per year.

Validation requirements:

  • Annual Self-Assessment Questionnaire (SAQ) 
  • Quarterly network scan by an Approved Scan Vendor (ASV)
  • Penetration Test
  • Internal Scan
  • Attestation of Compliance (AOC) form

Level 1 Service Provider Criteria and Validation Requirements

Level 1 is for service providers that store, transmit, or process more than 300,000 credit card transactions annually.

Validation requirements:

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Quarterly network scan conducted by an Approved Scan Vendor (ASV)
  • Penetration Test
  • Internal Scan
  • Attestation of Compliance (AOC) Form

Achieving level 1 compliance enables the business to appear on Visa’s Global Registry of Approved Service Providers.

Self-Assessment Questionnaire For Your Compliance Level 

Companies with PCI compliance levels 2 to 4 can complete a Self-Assessment Questionnaire (SAQ) instead of having an external audit2. There are various SAQs available to meet different merchant environments and it’s very important for companies to choose the right one as they are based on the ways the payment card information is processed. 

SAQs consist of a series of yes-or-no questions for each applicable PCI compliance requirement. If you answer no to a question, your company may be required to add future remediation dates and associated actions. 

If you are not sure which SAQ to use, ask your acquiring bank or payment card brand for help. When a business assesses itself using the wrong set of requirements, they waste time, effort, and resources to meet objectives that are not applicable.

12 PCI DSS Requirements

PCI SSC outlines 12 requirements that every business must reach to become PCI DSS compliant. Each requirement is also divided into sub-requirements, which can be difficult for smaller companies to comply with if they do not have the assistance of an expert. 

PCI DSS 12 Requirements

How Softjourn Can Help

While Softjourn cannot assist with the PCI DSS audit itself, we can help make your system secure and compliant. We have done so for many clients in the past, including a prepaid card company that has issued 10 million cards over its lifetime. We can help you prepare, including reviewing code and processes that will be examined during an audit. After the audit has taken place, we work with our clients to assist them in any necessary corrections. We follow PCI and Payment Application Data Security Standard (PA-DSS) guidelines in the development of payment data security software to ensure your successful certification from compliance services vendors.  

We can also assist in completing a relevant SAQ for your company. While being a third-party technology provider, we help our clients clearly understand the PCI requirements that are applicable to them. This avoids wasting time and money associated with filling out the wrong assessment. We support management, departments, and technical experts with our experience in PCI projects within acquirers and issuers. 

114 billion cards worldwide with debit card leads the growth. (2018, November 21).

2Payment Card Industry Data Security Standard Self-Assessment Questionaire Instructions and Guidelines

Softjourn is a global technology services provider that finds custom solutions for our clients’ toughest challenges. We leverage our domain expertise in Fintech, Cards & Payments, and Media & Entertainment (with a special emphasis on ticketing), to apply new technology that brings our clients' growing needs to life. Contact us to discuss how we can make your idea a reality!