Your business will fall under one of the four levels of PCI compliance if you accept credit card payments. The PCI standards ensure businesses will protect all customer data without risking possible losses. The work is about preventing data breaches and other issues where customers may not trust businesses with their card data.
The rules you’ll follow for attaining PCI compliance will vary over what level you hold. Every card-handling business will meet one of four levels of PCI compliance.
You can tell which level you fall under surrounding how many transactions you complete. But some businesses that have been in trouble may also require extended PCI compliance needs. Here’s a look at how these four compare and what you’ll need to complete for each of these levels.
Four levels of PCI compliance
Level 1 businesses will process at least six million transactions each year through all channels. Any business that has had a data breach in the past will also be a Level 1 entity regardless of its size. Such entities will be high-risk parties that need extra monitoring and reviews to ensure the company can meet PCI standards.
Level 1 businesses must undergo these annual efforts:
- A business must have an approved scanning vendor complete a network scan each quarter.
- An in-person third-party audit is necessary to help confirm your PCI compliance. The third-party team will check your system and identify possible flaws or issues.
- Penetration tests will review possible security openings and other threats in the business.
- An internal scan of current operating systems and practices is also necessary. The work can include reviewing all hardware and software used in reviewing customer data and keeping it protected from outside parties.
- An Attestation of Compliance is necessary for all Level 1 businesses.
Businesses with one to six million transactions over all channels each year will reach the Level 2 PCI compliance tier. A business that handles anything from 50,000 to two million American Express transactions or up to a million JCB transactions for international customers will also reach Level 2.
Level 2 businesses must follow a few points for work:
- An annual self-assessment questionnaire is necessary for all Level 2 businesses. The questionnaire reviews various aspects of PCI compliance and identifies possible opportunities for growth or improvement. The process entails more than a thousand questions.
- A penetration test and internal scan are also recommended, but they aren’t mandatory. The questionnaire may encourage the business to complete these points.
- A quarterly network scan is necessary for work. An approved scan vendor or ASV will complete the scan.
- The Attestation of Compliance form is also mandatory for Level 2 companies.
A Level 3 business is one that completes from 20,000 to one million online transactions each year. A Level 3 business will require these points for work:
- The annual self-assessment questionnaire is necessary here. Any recommended scans or reviews that the questionnaire encourages will also be necessary, depending on the answers provided here.
- A quarterly network scan is also essential. An ASV will be on hand to handle the work.
- The Attestation of Compliance form must also work in this tier.
The lowest PCI compliance level is Level 4. The level entails completing 20,000 or fewer online transactions each year. A business that completes up to a million MasterCard or Visa transactions will also reach Level 4 certification.
The requirements for Level 4 certification are the same as what Level 3 businesses would follow.
How Can You Tell What Tier You Meet?
You can use whatever reporting tools your merchant service provider offers to figure out what PCI compliance tier you will meet. You may figure it out through the size of your business, how many customers you bring in on average, and how many devices you use for reading cards.
What Does It Cost To Manage Your Work?
The cost to stay compliant will vary by tier. Level 4 businesses can spend a few thousand dollars each year to maintain compliance. But you’ll spend more when you go up to another tier, especially as you require more functions for confirming your ability to manage your business.
Maintenance Is Critical
You’ll need to maintain your PCI compliance efforts regardless of whatever level you reach. You can do many things to help you ensure you stay compliant with all PCI standards:
- You can maintain your computer networks with firewalls, user permissions, and antivirus programs.
- Consistent security checks are critical for all businesses. You can complete a vulnerability review program to see how your business is handling various potential openings in your system.
- Unique passwords are necessary for all operations. PCI compliance entails producing passwords that are unique for each user, plus they aren’t the default options that systems use. You could also request people change their passwords every few weeks or months.
- Access audits help you see who is getting access to your card data. All staff members should have the proper permissions for accessing data and that they won’t encounter more content than they are permitted to use.
- You can also write out a full security policy that your employees can analyze. All employees should be aware of the unique rules you are imposing to help them manage your data well.
- Regular employee training helps your employees see what they’re doing when handling cardholder data. They can learn what pieces of data they should review and how they will store and manage whatever pieces of data they will handle at any moment.
Everything you do when maintaining PCI compliance will be critical to protecting your business from possible fraud or data theft. You must meet PCI standards regardless of whatever PCI tier you support. Whether it entails the extensive rules of Level 1 compliance or the minimal efforts of Level 4, you must be certain when managing PCI efforts that you have a plan for making your business safe and functional for all to run.