Levels of PCI DSS compliance: We often get asked about the levels of compliance for PCI DSS. We will try to explain; So, are you considering taking credit cards as a form of payment? Or are you already taking credit cards and have experienced substantial growth in your annual volume? What are your responsibilities as a Merchant or Service Provider? Have you answered most questions with yes? Hold on to your seat as it’s a fun process that needs to be completed annually!
PCI DSS levels for Merchants
Fortunately, the PCI Security Council and the 5 card brands (Visa, MasterCard, American Express, Discover, and JCB) have outlined in detail what is expected of merchants. A merchant is defined as someone that stores, processes and transmits credit card information and has a merchant ID. Each merchant is categorized as a “level”, based on the number of transactions they process in a year, outlined as follows:
- Level 1 ( > 6 million transactions)
- Level 2 ( 1 million to 6 million transactions)
- Level 3 ( 20k to 1 million transactions)
- Level 4 (< 20k transactions)
Determining the merchant level often raises questions. The credit card brands recommend that merchants contact their acquiring entity and with the bank’s assistance, merchants complete the following steps:
- Determine the merchant level using transaction volume from the most recent 52-week period.
- Confirm necessary PCI validation requirements.
- Engage an approved vendor, as appropriate, and follow the validation procedures.
Once a merchant had been verified as compliant, the merchant must submit the validation requirements to its acquiring bank, which then will report the merchant’s compliance status to the brands.
PCI DSS levels for Service Providers
So if you don’t have a merchant ID, nor are you using a payment brand……what should you do? The following is the PCI Security Standards Council (SSC) definition of a service provider:
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.
For Service Providers there are two levels, based on the volume of transactions that are processed:
- Level 1 (More than 300k transactions annually)
- Level 2 (Less than 300k transactions annually)
With that being said, if your organization operates as a service provider (no matter which level you are considered) you may want to consider the business value of completing a PCI Level 1 Audit, also known as a PCI ROC (Report on Compliance). This process must be completed by utilizing a Qualified Security Assessor (QSA), that will validate your organization’s PCI compliance status and if you have met all the requirements to be PCI Compliant, will issue you an Attestation of Compliance (AOC) that you can provide to interested parties looking to verify your PCI Compliance status.
For Service Providers that fall under the threshold of processing 300k transactions, you can complete SAQ-D (the only SAQ that Service Providers are allowed to complete by the PCI Security Standards Council).
Business-wide effort
Now that we have outlined what the various PCI DSS Compliance Levels are, you should figure out what level you are today and then start tackling the process. We recommend to get your colleagues from Finance, IT and the business lines involved with the credit card process as PCI Compliance is not just an IT issue, it is a business issue.
Need help navigating the complex world of PCI Compliance? Contact us if you have any questions.