Skip to content

What You Need to Know About PCI Levels and Requirements

Credit card payment on a mobile device

Payment card data must be well-protected as damages from data breaches continue to mount.

Merchants and service providers must meet the relevant requirements of the Payment Card Industry Data Security Standard (PCI DSS) to accept payment cards and to process, store, or handle payment card data in any way.

The PCI Security Standards Council (SSC) implemented the PCI DSS as businesses moved online and cybercrime and data breaches swelled. The leading credit card brands behind the security council—American Express, Discover, MasterCard, Visa, and JCB—have since remained vigilant, tightening protections via the PCI DSS as cybersecurity threats have evolved.

More than 42,000 data security incidents were reported in 2017, according to the 2017 Verizon Data Breach Incident Report. Annual losses due to payment card fraud are projected to exceed $35 billion by 2020, according to a report on fraud published by The Nilson Report. 

A Square article on what you need to know about PCI compliance notes that the failure to comply with PCI standards and any resulting data breaches could produce damaging consequences such as the following:

  • Lost business as customers seek security among your competitors
  • Expenses for reissuing new payment cards
  • Fraud losses
  • Higher subsequent costs of compliance
  • Legal costs, settlements, and judgments
  • Fines and penalties

Your company could even be forced to close if your business depends on payment card data.

Knowing the PCI levels and requirements can help keep your company as protected as it can be from security breaches. You can serve your customers better and compete more effectively by complying more efficiently with the latest security standards.

What Are PCI Requirements?

According to the PCI Quick Reference Guide from the security standards council,

“PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data — with guidance for software developers and manufacturers of applications and devices used in those transactions.”

PCI standards help organizations mitigate vulnerabilities in areas such as card readers, point of sale systems, databases, call recording software, and online portals.

Though the PCI DSS is a self-regulated mandate for which merchants and vendors are responsible, the industry’s security council sets the standard. In the most recent PCI DSS update, new requirements meant to protect against emerging threats and to account for new ways of processing and storing data took effect on Feb. 1, 2018.

What Are the Four Levels of PCI Compliance?

As a merchant, your bank or payment processor can tell you how to report compliance. They also will tell you the frequency and level of compliance you need.

For example, Visa classifies merchants as follows:

Level 1 - More than 6M Visa transactions per year, regardless of acceptance channel

Level 2 - 1M-6M Visa transactions per year, regardless of acceptance channel

Level 3 - 20,000-1M Visa e-commerce transactions per year

Level 4 - Fewer than 20,000 Visa e-commerce transactions per year, and all other merchants—regardless of acceptance channel—processing up to 1M Visa transactions per year

Service providers have more rigorous standards than merchants. If you are a vendor, merchants will put in their contract with you that you both have to be PCI compliant.

The amount of assessment and security validation required to pass a PCI DSS assessment varies, according to a SearchSecurity article on PCI DSS merchant levels.

Level 1

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 2

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 3

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 4

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Card issuers may move an organization up to a higher level if a data breach occurs.

What Are the 12 PCI DSS Requirements?

From accepting cards to processing payments and storing information, the PCI DSS is an end-to-end solution for protecting cardholder data. Organizations must comply with all criteria that apply to them to maintain compliance.

Goal 1: Build and Maintain a Secure Network and Systems
Requirement 1 – Install and maintain a firewall configuration to protect cardholder data
Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters

Goal 2: Protect Cardholder Data
Requirement 3 – Protect stored cardholder data
Requirement 4 – Encrypt transmission of cardholder data across open, public networks

Goal 3: Maintain a Vulnerability Management Program
Requirement 5 - Protect all systems against malware and regularly update antivirus software or programs
Requirement 6 - Develop and maintain secure systems and applications

Goal 4:  Implement Strong Access Control Measures
Requirement 7 – Restrict access to cardholder
Requirement 8 – Identify and authenticate access to system components
Requirement 9 – Restrict physical access to cardholder data

Goal 5: Regularly Monitor and Test Networks
Requirement 10 – Track and monitor all access to network resources and cardholder data
Requirement 11 – Regularly test security systems and processes

Goal 6: Maintain an Information Security Policy
Requirement 12 – Maintain a policy that addresses information security for all personnel

What Are the Steps to Comply with the Requirements?

The PCI DSS compliance process has three basic steps:

  • Assess: Review your IT assets and procedures for processing payments and attempt to identify vulnerabilities.
  • Remediate: Fix vulnerabilities and establish processes and policies whereby customer card data is stored for as little time as possible because of the risk of a breach.
  • Report: Maintain remediation records and submit compliance reports to banks, card processors, and other relevant financial organizations.

Protect your organization from data breaches and maintain the trust of your customers by knowing your PCI level and complying with its requirements.