PCI DSS Compliance Levels: A Complete Guide

Credit and debit card payments continue to be the standard for payment around the world. According to the Federal Reserve, in 2018, Americans made 131.2 billion card payments worth $7.08 trillion. The growing popularity of card payments offers a tempting and lucrative opportunity for hackers. As the card payment industry grows, credit card fraud and theft grow too. Last year, the Federal Trade Commission received 271,000 reports of credit card fraud in the US.

When hackers steal card information, they don’t only impact the cardholders. The entire payment card ecosystem — from merchants to banks to customers — feels the impact. The Payment Card Industry Data Security Standard (PCI DSS) was created to ensure that all companies securely process their payment card transactions. For any business processing payment card transactions, maintaining PCI DSS compliance is critical. Failing to comply with PCI DSS will impact the organization’s customers and business — a breach can mean a potential loss of revenue, customers, brand reputation, and trust.

What are the PCI DSS compliance levels?

PCI DSS applies to all organizations, regardless of size, if they accept, transmit, or store payment card data. There are four levels of PCI compliance, which are determined by the annual number of Visa transactions a merchant processes over one year:

1. Merchant Level 1: Any merchant processing over 6M Visa transactions per year, and any merchant that Visa determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2. Merchant Level 2: Any merchant processing 1M to 6M Visa transactions per year.
3. Merchant Level 3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4. Merchant Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year and all other merchants processing up to 1M Visa transactions per year. 

What do these PCI DSS compliance levels mean?

There are different requirements for different levels of compliance. Any business that falls under Level 1 needs to conduct a yearly on-site review by an internal auditor and must do a network scan by an approved scanning vendor. Level 2, 3, and 4 businesses must complete the PCI DSS Self-Assessment Questionnaire annually and do quarterly network security scans with an approved scanning vendor. 

Where PII fits into PCI DSS

Personally identifiable information (PII) is any data that can identify a specific person. Some examples of PII include:

• Social security numbers
• Mailing addresses
• Email addresses
• Phone numbers
• IP addresses
• Login IDs

When it comes to PCI DSS, PII includes cardholder data, such as the cardholder’s name, the primary account number, and the card’s expiration date and security code. PCI DSS does not extend to any PII that is not considered cardholder data, such as protected health information (PHI) like diagnoses and lab test results. 

You must protect your customers’ sensitive information to maintain compliance and stay in business, and knowing where protecting PII and PCI intersect can help.

What happens if you don’t follow a PCI DSS compliance level requirement?

Depending on the PCI DSS level your organization falls under, failure to comply can lead to strict ramifications. For example, Visa has the right to to change your level standards to a stricter level, regardless of the number of credit card transactions processed each year. For example, if your organization is currently a level 4, you may be bumped to a level 1 for failure to to meet the level 4 compliance requirements. At level 1, you’ll now be required to receive an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor) to determine if you have demonstrated compliance.

Achieving PCI DSS compliance with the right scanning vendor

Every organization, regardless of its PCI DSS level, needs to use an approved scanning vendor every year. Ground Labs offers PCI DSS data discovery solution, Enterprise Recon PCI, that is trusted by PCI Qualified Security Assessors (QSAs) in 50+ countries. The solution easily and efficiently scans your servers, desktop, and cloud for PCI sensitive data, and it also brings security issues to your attention. Ground Labs’ PCI DSS solution can scan rapidly due to its low-impact distributed design, enabling co-existence with your company’s DLP solutions. Rapid scans will help your business reduce the time required to become compliant.

Interested in learning more about how to achieve compliance under PCI DSS regulations with Enterprise Recon PCI? Schedule a demo with a data discovery expert today.