A person paying with a card at a cash register.

The 4 PCI compliance levels

Saturday, December 20, 2014

A guide to understanding them for small businesses

As a small business owner, you know how important it is to accept multiple forms of payment at your business. And in today’s world, the most common payment methods are credit card and debit card payments. One aspect of accepting card payments at your business is ensuring that you’re helping to protect the cardholders’ personal data and card information. To help ensure the security of cardholders, the major credit card brands – Visa, Mastercard, American Express, JCB, and Discover – founded the Payment Card Industry Security Standard Council (PCI SSC). In order to accept card payments, you need to make sure that your business is in compliance. So, in this article, we’ll take a look at the PCI Data Security Standards (DSS) before discussing the varying levels of compliance; we’ll also look at how to calculate your small business’s compliance level. But to start, let’s look at the PCI DSS.

What is the PCI DSS?

As previously mentioned, the PCI DSS is a way for the major credit card companies to ensure that businesses are doing their part to protect against payment card data breaches and credit card fraud. While the PCI council does not keep track of what every single business is doing, the consequences for failing to comply with these standards can be significant. Fines can range from thousands to hundreds of thousands of dollars. And while the payment card industry will hold the acquiring bank accountable, those fines get passed on to the offending merchants.

There are 12 general compliance requirements for PCI DSS certification:

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data through business need to know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security for all personnel.

Now that you know more about PCI DSS compliance, let’s look at the four compliance levels.

The four PCI compliance levels

There is more to being PCI compliant than just the requirements listed above. In fact, there are four different levels of PCI compliance. The payment card companies assign these tiers based on a variety of factors. Let’s look at each of these levels individually.

Level 1 merchants

Level 1 merchants are those businesses that process over 6 million card transactions per year. These transactions are through all channels, whether it is card present, card not present, or ecommerce transactions. In addition, global merchants that process a total of 6 million transactions or more can also be considered level 1 merchants. Examples of level 1 merchants are most likely large corporations operating in multiple regions. Out of the four PCI compliance levels, level 1 is the only class of merchants that requires a third-party auditor.

Level 1 merchants must do the following:

  • Complete a Report on Compliance (ROC) each year through an auditor, either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).
  • Complete quarterly network scans by an Approved Scanning Vendor (ASV).
  • Complete the Attestation of Compliance Form.

Level 2 merchants

Level 2 merchants are those businesses that process between 1 and 6 million card transactions per year. These transactions are again through all channels, whether it is card present, card not present, or ecommerce. Examples of level 2 merchants include mid-size corporations or more regional small to mid-sized enterprises (SMEs) that have high transaction rates.

Level 2 merchants must do the following:

  • Complete an annual Self-Assessment Questionnaire (SAQ).
  • Complete a quarterly network scan by an ASV.
  • Complete the Attestation of Compliance Form.

Level 3 merchants

Level 3 merchants process between 20,000 and 1 million card transactions per year. However, these merchants process transactions exclusively through ecommerce.

Level 3 merchants must do the following:

  • Complete an annual SAQ.
  • Complete a quarterly network scan by an ASV.
  • Complete the Attestation of Compliance Form.

Level 4 merchants

Level 4 merchants are businesses that process up to 1 million card transactions per year. These transactions are through all channels. They also process fewer than 20,000 card transactions per year via ecommerce. This PCI compliance level is the umbrella under which most small businesses fall.

Level 4 merchants must do the following:

  • Complete an annual SAQ.
  • Complete a quarterly network scan by an ASV.
  • Complete the Attestation of Compliance Form.

As you can see, the main determining factor between merchant levels is the amount of transactions a company processes per year. The higher the number of transactions, the higher the level of compliance. This makes sense, as level 1 merchants need to ensure they’re well-protected from threats simply because they are processing a higher transaction volume.

Now, how does your business figure out at what level you are? That’s where your payment processing partner comes into play. You can figure out your PCI DSS compliance level by asking them directly or by using their merchant tools to calculate the number of transactions your company processed during the previous year.

What’s the SAQ?

As mentioned above, there is a self-assessment questionnaire (SAQ) that’s required for businesses. And depending on your type of business, you’ll have to fill out a particular SAQ. The form your company will need to fill out depends on the way in which you accept card payments. Those who strictly take card not present or ecommerce payments need to fill out SAQ-A, while those who utilize card present methods need to fill out a different SAQ form. To ensure your company fills out the correct form, consult with your payment processor or refer to PCI publications for more information.

How to maintain PCI DSS compliance

PCI compliance is not a once-a-year event. In fact, it’s an ongoing process that your business should take seriously. Even after you’ve achieved compliance, it’s important to have practices in place to maintain compliance. Here are a few of the best practices to help you maintain compliance:

  • Utilize firewalls to secure computer networks and provide a first line of defense against malicious parties.
  • Conduct regular security checks and vulnerability scans and be sure that anti-virus software is up to date.
  • Require regular password updates from employees and be sure that you update passwords on third-party products like routers and modems.
  • Perform access audits to ensure that access to sensitive cardholder data is need-to-know only.
  • Implement employee PCI and data security training to teach your staff best practices.
  • Document your security policies and include an inventory of your equipment and systems as well as who has access to them.

In this article, we’ve shared more about PCI DSS compliance – what it is, how you can ensure your company is compliant, and the requirements for the 4 different compliance levels. It’s important to remember that PCI compliance isn’t a one-time event. It’s an ongoing commitment from your small business to help protect yourself and your customers.


Ready to work with a payment processor who can help you maintain PCI DSS compliance?

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us.