Every merchant and service provider that processes, stores, or transmits credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS) for cybersecurity and privacy – but not all must travel the same path to PCI compliance.

The truth is that not all retailers face the same amount of security risk. Recognizing that, the PCI Security Standards Council developed four compliance levels for merchants and two for service providers; every organization seeking PCI compliance should then pursue the level that makes the most sense for its own operations.

The level an enterprise belongs depends upon how many credit card transactions it processes in a year; and whether the business has suffered a breach or cyberattack resulting in compromise of credit card or cardholder data.

The largest enterprises, processing the most transactions, face the highest PCI standards. These merchants and service providers belong to Level 1.

Those processing the least transactions belong to Level 3 or 4 (for merchants) or Level 2 (for service providers). A company’s designated level also depends partly on which credit card (or cards) it accepts. Some cards have no Level 4 or even no Level 3. The PCI council established only two levels for service providers.

Companies at lower levels (3 and 4) may expend much less effort and expense to become PCI-compliant than higher-tiered organizations, unless the bank that processes their credit-card transactions requires more from them.

What Is PCI DSS?

PCI DSS is a security framework developed to safeguard credit card and cardholder data against breach and other forms of unauthorized access. It was launched in 2004 by the PCI Security Standards Council, which comprises financial institutions, merchants, processor companies, software developers, and point-of-sale vendors.

All merchants, payment processors, or internet service providers that process, store, or transmit credit card data must be PCI compliant, no matter which compliance level they belong to. Otherwise the businesses risk substantial penalties, including fines and possible loss of credit card privileges.

Credit-card brands that participate in and enforce PCI DSS are Visa, Mastercard, Discover, American Express, and JCB.

What Is a Merchant According to PCI DSS?

A merchant is any entity that accepts payment cards that have the logos of any of the five PCI SSC members (American Express, Discover, JCB, MasterCard, or Visa) as payment for products & services.

A merchant that handles payment cards can also be a service provider to others, if those services result in the merchant storing, processing, or sending cardholder information on behalf of other businesses or service providers.

For example, an Internet Service Provider (ISP) is a merchant that takes credit cards for monthly billing, and is also a service provider if it hosts merchants as clients.

In contrast, PCI defines a service provider as a business that might handle payment card data, but not to process a transaction directly. Examples include web hosting companies or managed service providers that offer managed firewalls, Intrusion Detection Systems (IDS), and other services.

If a business merely offers public network access, such as a telecommunications operator offering only the communication connection, that company is not regarded as a service provider for that service (although they may be considered a service provider for other services).

What Are PCI Levels of Compliance and How Are They Determined?

Here’s an overview of the PCI Compliance Levels’ criteria and validation requirements for merchants and service providers.

Merchant Level 1

Criteria:

  • Processes more than 6 million Visa, Mastercard, or Discover transactions annually; or
  • Processes more than 2.5 million American Express transactions annually; or
  • Processes more than 1 million JCB transactions annually; or
  • Has suffered a data breach or cyberattack that resulting in compromise of cardholder data; or
  • Has been identified by another card issuer as Level 1.

Requirements:

  • An annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor;
  • Quarterly network scan by Approved Scan Vendor (ASV);
  • Submission of completed Attestation of Compliance (AOC) form.

This highest and most stringent of the PCI DSS compliance levels is the only level to require a full, on-site audit every year. As a result, to become PCI compliant typically takes Level 1 merchants about two years.

In addition, merchants must report the results of their audit to their “acquiring bank,” defined by the SSC as an “entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.”


Merchant Level 2

Criteria:

  • Processes 1 million to 6 million Mastercard, Discover, or Visa transactions per year; or
  • Processes 50,000 to 2.5 million American Express transactions annually; or
  • Processes fewer than 1 million JCB transactions annually; and
  • Has not suffered a data breach or attack that compromised card or cardholder data

Validation Requirements:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor
  • Attestation of Compliance Form

At Level 2, merchants do not necessarily need an on-site audit unless they have suffered a data breach or cyber attack that compromised credit card or cardholder data. Also, a Level 2 merchant’s acquiring bank may require an audit and ROC.

Otherwise, Level 2 merchants can self-report by filling out and submitting a Self-Assessment Questionnaire. They also need to have their networks scanned quarterly by an Approved Scan Vendor – because PCI DSS compliance, like so much else in data security, is not a one-and-done endeavor, but rather a continual process.

Completing the SAQ can be a lengthy process in itself (a year or more) with as many as 281 PCI DSS directives to address. Most organizations work to narrow the scope of their audit or assessment to save time and expense.


Merchant Level 3

Criteria:

  • Processes 20,000 and 1 million Visa e-commerce transactions annually; or
  • Processes 20,000 Mastercard e-commerce transactions annually, but 1 million or fewer total Mastercard transactions annually; or
  • Processes 20,000 and 1 million Discover “card-not-present” (e-commerce) transactions annually; or
  • Processes fewer than 50,000 American Express transactions annually; and
  • Has not suffered a data breach or cyber attack that compromised card or cardholder data.

Note that card provider JCB has no Level 3. All merchants processing fewer than 1 million JCB transactions per year qualify as Level 2 merchants.

Validation Requirements:

The validation requirements for a Level 3 merchant are the same as those for Level 2 merchants:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by an Approved Scan Vendor
  • Attestation of Compliance form

Although Level 2 and 3 merchants are not usually required to commission an on-site audit or obtain a ROC, some may choose to do so to boost their business profile or to assure that their cardholder data environment is completely secure.


Merchant Level 4

Level 4 is the lowest PCI merchant compliance level established by Visa and Mastercard.

Criteria:

  • Processes fewer than 20,000 Visa or Mastercard e-commerce transactions per year; or
  • Processes up to 1 million total Visa or Mastercard credit card transactions; and
  • Has not suffered a data breach or attack that compromised card or cardholder data.

Neither Discover, American Express, or JCB has a Level 4 designation. Discover and American Express stop at Level 3; JCB has just two merchant levels.

Validation Requirements:

Merchants that qualify as Level 4 must achieve PCI DSS compliance by meeting their acquiring bank’s requirements. Typically, banks require of Level 4 merchants:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by an Approved Scan Vendor (ASV)

Service Provider Level 1

A service provider is an enterprise that processes, stores, or transmits cardholder data on behalf of another business, or that provides services that could affect cardholder data security. Those providing managed firewalls, intrusion detection systems, intrusion protection systems, data destruction services, and web hosting providers.

The criteria and validation requirements for Level 1 service providers are slightly different than for Level 1 merchants.

Criteria:

  • Stores, processes, or transmits more than 300,000 credit card transactions annually.

Requirements:

  • Annual Report on Compliance by a Qualified Security Assessor
  • Quarterly network scan by an Approved Scanning Vendor
  • Penetration Test
  • Internal Scan
  • Submission of completed Attestation of Compliance Form

Service Provider Level 2

Criteria:

  • Process, store, or transmit fewer than 300,000 credit card transactions per year.

Validation Requirements:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by an Approved Scan Vendor
  • Penetration test
  • Internal scan
  • Attestation of Compliance Form

Service providers that qualify as Level 2 may be asked by partners, clients, or other business partners to validate their PCI DSS compliance with an on-site audit by a Qualified Security Assessor or an Internal Security Assessor, or to meet other, more stringent, Level 1 criteria. Also, they may opt to validate as a Level 1 provider to be included on Visa’s Global Registry of Approved Service Providers.


PCI DSS Compliance, Simplified with Reciprocity ROAR

PCI DSS has 281 directives in 12 categories, so it can be a harsh taskmaster – especially if your enterprise uses old-fashioned spreadsheets to track and maintain compliance. And yet, failure is not an option: losing credit-card privileges might cripple or even destroy your business.

Fortunately, there is a better way. A quality solution such as the Reciprocity® ROAR platform can make PCI DSS compliance easier, faster, and more complete. Our unique Software as a Service provides “single source of truth” dashboards with overviews of your compliance and risk posture. Reciprocity ROAR has ready access to the documentation your auditor or self-assessor needs, easy-to-implement self-audits, and more.

Worry-free compliance and hassle-free audits are the Zen way. Schedule a demo with a Reciprocity ROAR expert today and breathe easier, knowing the path to PCI DSS compliance will be smoother for your organization.