Every business must be PCI-compliant when handling credit card data. But each company comes with a different PCI compliance level that one must follow.
PCI DSS standards include four separate PCI compliance levels. The level you’ll reach will vary over how many transactions you complete each year. Each tier also includes unique requirements each business must follow every year to maintain its compliance standards. All companies need to manage these rules to improve how well they can handle their activities and functions without risk.
Let’s look at the four PCI compliance levels, starting with one that the most massive multinational companies will often follow. The lower tiers entail smaller businesses, but they also include complex details and rules.
Know Your PCI Compliance Level
Level 1 compliance is for businesses that process at least six million transactions each year. These companies are immense companies that have more locations and could also have a significant online presence.
Level 1 businesses must complete an annual compliance report from a Qualified Security Assessor. The QSA can arrive at a business location and review the servers and systems used for securing cardholder data. The work confirms the business’ ability to handle payment data.
A quarterly network scan is also necessary. An Approved Scanning Vendor or ASV can help review the network’s general performance.
A penetration test is also necessary for Level 1 businesses. A penetration test entails reviewing possible openings in a security system. The effort reviews if a possible penetration effort can work.
Internal scans are also necessary for these companies. A Level 1 business will complete the scan to confirm one’s ability to protect itself from internal threats.
An Attestation of Compliance form is also necessary for all Level 1 businesses. The form confirms the business’ ability to comply with PCI rules.
Level 1 businesses must also complete internal reviews of their operations. An internal analysis will help identify potential threats that might appear in a system.
Level 2 compliance involves processing from one to six million card transactions a year. A business at this level won’t require the same on-site penetration testing as a Level 1 business would demand. But a Level 2 entity still needs to complete a quarter scan from an ASV and complete an Attestation of Compliance Form.
The business must complete an annual Self-Assessment Questionnaire or SAQ each year. The SAQ entails more than a thousand questions and involves a review of possible opportunities for improvement. The SAQ works for businesses that have certified internal security advisors on staff. An on-site assessment is necessary if the business doesn’t have a proper security advisor on hire.
The SAQ also identifies possible testing opportunities for a business. Some companies may require an internal scan or other test depending on what works here. The questionnaire helps businesses figure out what unique requirements they may hold when handling their security efforts.
Level 3 is for businesses that complete about 20,000 to one million online transactions each year. The business may also complete in-person transactions, but most of the deals in such cases are typically online.
A Level 3 business must complete an annual SAQ and a quarterly network scan from an ASV. An Attestation of Compliance form is also necessary, as are any other requirements dictated by what an SAQ may find.
Level 4 is the lowest tier available. A business can be a small online entity or another that processes fewer than 20,000 card transactions each year. Many Level 4 businesses don’t have as many card machines, or they are new entities that don’t bring in as much traffic as other parties.
Level 4 businesses must meet the same requirements for PCI compliance as a Level 3 entity. Proper analysis of how a business works is critical for recognizing what works.
Compliance Is Critical
All businesses must be PCI-compliant regardless of the level they support. While a Level 3 or 4 merchant may not have as many requirements as others, they must still work their hardest to ensure they are protected well.
Check on your credit card processing reports to see how much business you are managing every year. You can figure out what PCI compliance tier you are under when you look at how much you process and how active your business can become.
You could also review the processes you complete and how much equipment you have for accepting cards. You can review the annual website traffic you get as well, helping you figure out what you should be doing when collecting card payments. The work you complete can help you find an accurate look at how you will handle your customers’ card data while keeping everyone safe.
What About Service Providers?
You must also meet PCI compliance rules if you operate as a service provider. A service provider can offer control over how cardholder data is managed, but the provider doesn’t process or store the data.
A service provider can be a Level 1 entity that handles more than 300,000 transactions each year. It could also be a Level 2 business that manages fewer than 300,000 deals.
A Level 1 service provider will require a QSA to review one’s functions and to ensure PCI compliance each year. Level 2 entities do not require such visits, but they must continue to provide services as necessary.
Check Each Year
There’s always a chance your PCI compliance level can change based on what you provide, how you handle cards, and how many transactions you complete. Even if you stay in the same tier, your assessment may find you require unique needs. The most massive entities will require the most significant reviews and checks, although the smaller ones will still demand unique needs.
Your PCI compliance analysis will help you figure out what works and how you’re going to protect cardholder data. Proper protection is critical for ensuring nothing wrong will happen with your business and that your customers will remain safe in all efforts.