Four Levels of Merchants in PCI/DSS
No matter the industry you are in, the size of your enterprise, or the number of transactions per year, your business needs to comply with the PCI DSS. All the merchants fall into one of four PCI DSS compliance levels. The levels of compliance are used to determine the amount of security validation required to pass the PCI DSS assessment.
Based on the number of transactions your business processes per year, the PCI Compliance Levels are:
Level 1: Merchants processing over 6 million transactions annually
- Requirements:
- Annual on-site assessment by a Qualified Security Assessor (QSA) or internal audit if signed by an officer of the company
- Quarterly network scans conducted by an Approved Scanning Vendor (ASV)
- Compliance must be validated through an annual Report on Compliance (ROC) and Attestation of Compliance (AOC)
- Additional requirements for daily log reviews and centralized log management
Level 2: Merchants processing 1 to 6 million transactions annually
- Requirements:
- Annual Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Some Level 2 merchants may be required to undergo a PCI DSS assessment conducted by a QSA
Level 3: Merchants processing 20,000 to 1 million e-commerce transactions annually
- Requirements:
- Annual Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
Level 4: Merchants processing fewer than 20,000 e-commerce transactions annually or up to 1 million total transactions
- Requirements:
- Annual Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Some Level 4 merchants may be required to undergo a PCI DSS assessment by their acquiring bank
Key Components of PCI DSS
- Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
PCI DSS compliance is essential for safeguarding sensitive cardholder data, reducing the risk of data breaches, and maintaining the trust of customers. The specific requirements and validation procedures vary by merchant level, ensuring that security measures are appropriately scaled to the size and complexity of the organization.
