What you need to know about PCI DSS merchant levels and how they affect your PCI compliance…
Are you here to learn about the PCI compliance levels for merchants? We’ve got you covered with this guide that breaks down the four merchant levels.
Not many people have even heard of the Payment Card Industry Data Security Standards (PCI DSS), but these standards affect everyone with a credit card (or who processes credit card transactions) every day. In 2004, when credit card fraud was running rampant, credit card companies knew they needed some way to mitigate the issue or risk facing a never-ending line of unhappy customers. The problem was that if they tried to force merchants and service providers into meeting their desired security requirements, the merchants would just switch to another credit card company who wasn’t enforcing such high standards.
To combat this, five of the largest credit card companies joined together to create the PCI Security Standards Council and PCI DSS with it. This way, merchants and service providers were forced to play by the council’s rules or face their wrath (in the form of fines from the individual card companies). Yes, I know that last line sounded very Game of Thrones-ish, but I assure you that PCI DSS are for the cardholder’s benefit — they ensure merchants provide top-notch security for the cardholder’s data.
However, with the creation of PCI DSS, it became clear to the PCI Security Standards Council that not all merchants needed to meet the same standards. With this latest iteration of PCI DSS (PCI DSS version 3.2.1) which features hundreds of security controls, it’s just not practical nor necessary for every business to meet every standard, and this is why the PCI DSS merchant compliance levels were created.
In this article, we dive into the PCI DSS merchant compliance levels, what their differences are, and how each level affects companies differently.
More on PCI DSS & Why Merchant Compliance Levels Are Necessary
The point behind PCI DSS is to mitigate vulnerabilities and enforce security standards that helps merchants better protect cardholder data. Unfortunately, data is a very sough after and lucrative target of hackers. Since 2005, there have been more than 11 billion data records breached, according to privacyrights.org. This is why security is needed for the entire card-handling process as there are a number of areas that could be breached.
From processing devices to servers to web applications to transmitting data, every step of the process needs some type of security. PCI DSS extends beyond merchants to ensure that even service providers meet the standards. Service providers are defined as “financial institutions that initiate and maintain the relationships with merchants that accept payment cards.”
To avoid facing noncompliance fines, merchants and service providers must maintain PCI compliance. The PCI DSS compliance levels help merchants know what requirements they are expected to meet. To learn a bit more about PCI DSS, the requirements that merchants are expected to meet, what a self-assessment is and more, we have some related resources you will find valuable:
- Related: What Is PCI DSS? A Quick Guide to the 12 PCI DSS Requirements
- Related: How to Do a PCI Self Assessment
For more on PCI DSS compliance levels, keep on reading.
What Are the PCI Compliance Levels for Merchants?
Now it’s time to dive into the PCI DSS compliance levels. These are focused on PCI merchant compliance levels (as opposed to service providers). The one thing that makes compliance levels a tad tricky is that each of the five major credit card brands all have their own criteria for the compliance levels.
We broke each level down by the credit card brand, so you can easily tell which level you are. Also, we start with the least demanding PCI merchant compliance levels and work our way up to the most demanding one.
|Credit Card Brand||Their Criteria to Determine Level 1 Merchants|
|American Express||2.5M+ American Express card transactions annually|
|Discover Financial Services||6M+ Discover card transactions annually, or if another credit card brand deemed you a Level 1 Merchant|
|JCB International||More than 1M JCB card transactions annually|
|Mastercard||6M+ combined Mastercard and Maestro card transactions annually or has suffered a cyber-attack that has resulted in compromised data|
|Visa||6M+ Visa card transactions annually|
NOTE: All credit card brands reserve the right to deem a merchant Level 1 at their sole discretion.
|Credit Card Brand||Their Criteria to Determine Level 2 Merchants|
|American Express||50,000-2.5M American Express card transactions annually|
|Discover Financial Services||1M-6M Discover card transactions annually via their network|
|JCB International||Less than 1M JCB card transactions annually|
|Mastercard||1M- 6M combined Mastercard and Maestro card transactions annually|
|Visa||1M-6M Visa card transactions annually|
|Credit Card Brand||Their Criteria to Determine Level 3 Merchants|
|American Express||10,000-50,000 American Express card transactions annually|
|Discover Financial Services||All other merchants who process fewer than 1M Discover card transactions annually|
|JCB International||JCB does not have a Level 3 ranking|
|Mastercard||20,000-1M combined Mastercard and Maestro card transactions annually|
|Visa||20,000-1M Visa ecommerce transactions annually|
|Credit Card Brand||Their Criteria to Determine Level 4 Merchants|
|American Express||Less than 10,000 American Express card transactions annually|
|Discover Financial Services||Discover does not have a Level 4 ranking|
|JCB International||JCB does not have a Level 4 ranking|
|Mastercard||Fewer than 20,000 combined Mastercard and Maestro card transactions annually|
|Visa||All merchants processing up to 1M transactions annually or fewer than 20,000 Visa ecommerce transactions|
How Do PCI DSS Compliance Levels Relate to Staying PCI Complaint?
If you handle cardholder data in anyway, you need to be PCI complaint. To prove you are PCI complaint, you must undergo an annual validation to prove that you meet the necessary requirements. The PCI DSS compliance levels help credit card companies know what type of annual validation you must go through to demonstrate that you meet their expected standards.
Bellow, we lay out what you need to know about maintaining PCI compliance through your annual validation based on your PCI DSS compliance level.
Level 4-2 Merchants
If you’re a merchant who falls within the PCI merchant levels 4, 3, or 2, you’re expected to complete the same general annual validation requirements across all three levels and all five credit card companies. There are very slight differences in the expectations, which you can review at the links directed to your acquiring bank in the “What Are the PCI DSS Compliance Levels?” section above. But in general, here is what Level 4-2 Merchants need to do during their annual validations:
Download and Complete a PCI Self-Assessment Questionnaire
This part is simple. All you need to do is download the correct PCI self-assessment questionnaire and answer the questions listed on it. The operative word in the last sentence is “correct” as there are eight PCI-DSS self-assessment questionnaires to choose from and it’s essential that you select the right one. They are sorted by how you accept payment cards.
Complete an Attestation of Compliance
Your attestation of compliance (AOC) will be included with your PCI self-assessment questionnaire when you download it. The AOC is nothing more than confirming you’re validated and gaining signatures from the appropriate parties.
Conduct Vulnerability Scanning
To ensure you are, indeed, secure and meeting the expected security standards, you’ll need to have a vulnerability scan assessment completed by an Approved Scanning Vendor (ASV). An ASV is a data security firm who has been vetted and approved by the PCI Security Standards Council and uses a scanning solution to help verify if your PCI complaint.
You should note that the ASVs reserve the option to use either an approved open source security solution or their own software. The task and responsibility of finding an ASV falls on you as the one seeking compliance.
Level 1 Merchants
If you’re a Level 1 Merchant, your road is a bit more involved. You’ll also need to complete a PCI Annual Vulnerability Scan by an Approved Scanning Vendor and an Attestation of Completion. But rather than needing to do a PCI self-assessment questionnaire, you’ll need to undergo an on-site security assessment by a Qualified Security Assessor (QSA) instead.
The goal of this on-site assessment is to confirm that you meet the appropriate PCI DSS. The QSA will do this by reviewing all of your payment card procedures, systems and use their own “independent judgment” to verify you met your standards.
When you search for a QSA, it’s best if you look for someone who has knowledge of your industry and gives you feel that they would mesh with your company culture. The QSA will not simply come in and give you a stamp saying that you’re “approved” or “not approved” — it’s their job to be a resource as well and to help your company meet PCI DSS (hence the recommendation of finding the right fit). Furthermore, it’s also recommended that you look for a QSA that is an ASV, too, so you can kill two birds with one stone.
A Final Word on the PCI DSS Compliance Levels
From PCI DSS compliance levels to how the levels affect merchants and their PCI compliance process, we have come to the end of our road. If you handle cardholder data, it’s vital you stay up on this information and know what PCI DSS merchant compliance level you are. Make sure you do whatever you can to stay PCI complaint.
One way to streamline the process of attaining and maintaining PCI compliance is to use a PCI compliance scanner tool. An automated tool such as HackerGuardian will literally scan you entire network, compile issues, make recommendations on how to resolve them and then put together a final report ready for you to submit to your acquiring bank.