A Complete Guide to PCI Compliance Levels

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a global security requirement for any organization that processes, stores or transmits credit cardholder information. Released in 2004, the standard serves as a minimum set of requirements needed to protect customers’ payment data from being compromised and ensures the security of credit card transactions in the payments industry. However, keeping up with PCI compliance levels can be difficult, especially since there are a lot of nuances based on how many transactions a merchant makes.

It’s especially important to maintain PCI DSS compliance because security threats are everywhere. In 2019, the Federal Trade Commission received 271,000 reports of credit card fraud in the US. When hackers steal card information, they don’t only impact the cardholders. The entire payment card ecosystem — from merchants to banks to customers — feels the impact.

The PCI DSS was created to ensure that all companies securely process their payment card transactions. Maintaining PCI DSS compliance is critical for any business processing payment card transactions. Failing to maintain with PCI DSS compliance will impact the organization’s customers and business — a breach can mean a potential loss of revenue, customers, brand reputation, and trust.

What are the PCI DSS compliance levels?

PCI DSS applies to all organizations, regardless of size, if they accept, transmit, or store payment card data. There are four levels of PCI compliance, which are determined by the annual number of credit or debit card transactions a merchant processes over one year:

1. Merchant Level 1: Any merchant processing over 6M in-store card transactions per year with Visa, Mastercard, Discover, or American Express. Merchants at this level must conduct an annual audit with an authorized PCI authority as well as an annual attestation of compliance form. They are also required to conduct quarterly PCI network scans with an approved scanning vendor. Requirements for service providers are a little more involved at all four levels, requiring an additional penetration test and internal scans to remain compliant.
2. Merchant Level 2: Any merchant processing 1M to 6M Visa transactions per year. At this level, merchants must complete an annual self-assessment questionnaire (SAQ) and an attestation of compliance form in addition to the quarterly PCI network scans.
3. Merchant Level 3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. Compliance requirements at Merchant Level 3 are identical to those at level 2, including differences for service providers.
4. Merchant Level 4: Any merchant processing fewer than 20,000 e-commerce transactions or up to 1M in-store transactions per year. This level also requires an annual SAQ and quarterly PCI scans, but does not require additional audits.

What do these PCI DSS compliance levels mean?

There are different requirements for different levels of compliance. Any business that falls under Level 1 needs to conduct a yearly on-site review by an internal auditor and must do a network scan by an approved scanning vendor. Level 2, 3, and 4 businesses must complete the PCI DSS Self-Assessment Questionnaire annually and do quarterly network security scans with an approved scanning vendor. 

Where PII fits into PCI DSS

Personally identifiable information (PII) is any data that can identify a specific person. Some examples of PII include:

• Social security numbers
• Mailing addresses
• Email addresses
• Phone numbers
• IP addresses
• Login IDs

When it comes to PCI DSS, PII includes cardholder data, such as the cardholder’s name, the primary account number, and the card’s expiration date and security code. PCI DSS does not extend to any PII that is not considered cardholder data, such as protected health information (PHI) like diagnoses and lab test results. 

Vendors must protect their customers’ sensitive information to maintain compliance and stay in business, and knowing where protecting PII and PCI intersect can help.

What happens if you don’t follow a PCI DSS compliance level requirement?

Depending on the PCI DSS level your organization falls under, failure to comply can carry severe penalties. For example, Visa has the right to to change your level standards to a stricter level, regardless of the number of credit card transactions processed each year. For example, if your organization is currently a level 4, you may be bumped to a level 1 for failure to to meet the level 4 compliance requirements. At level 1, you’ll now be required to receive an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor) to determine if you have demonstrated compliance.

Achieving PCI DSS compliance with the right scanning vendor

Every organization, regardless of its PCI DSS level, needs to use an approved scanning vendor each quarter. Ground Labs offers PCI DSS data discovery solution, Our Enterprise Recon PCI, that is trusted by PCI Qualified Security Assessors (QSAs) in 50+ countries. The solution easily and efficiently scans your servers, desktop, and cloud for PCI sensitive data, and it also brings security issues to your attention. Ground Labs’ PCI DSS solution can scan rapidly due to its low-impact distributed design, enabling co-existence with your company’s DLP solutions. Rapid scans will help your business reduce the time required to become compliant.

Interested in learning more about how to achieve compliance under PCI DSS regulations with Enterprise Recon PCI? Schedule a demo with a data discovery expert today.