If you accept payment (credit or debit) cards that have the logos of any of the primary members of the PCI SSC (PCI Security Standards Council), which includes Visa, Mastercard, American Express, Discover, and JCB, then you are considered a merchant. As a merchant, you must adhere to certain levels of compliance established by the PCI SSC to ensure the security of any payment or customer data you transmit, process or store. If you don't follow the requirements, you could face penalties, fines, and the inability to continue processing card payments.
Recognizing that there are different types of merchants that handle various volumes of transactions, the PCI SSC created a number of PCI compliance levels that would address the needs of these merchants and require specific levels of compliance related to that volume. Your business will fall into one of four levels based on the number of transactions you process each year. Here is a breakdown of the different PCI compliance levels and how they are determined.
Level 1 Compliance
To fit this level of PCI compliance, you must produce over six million transactions a year. The key requirements for Level 1 include:
- Have an Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) completed.
- Do a quarterly network scan by an Approved Scanning Vendor (ASV).
- Complete a penetration test, internal scan, and attestation of a compliance form.
Level 2 Compliance
This level of PCI compliance is for merchants who produce between one and six million transactions annually. Here are the requirements for Level 2:
- If you have a certified Internal Security Assessor (ISA) on your team, have them produce an annual Self-Assessment Questionnaire (SAQ).
- Get an Onsite Assessment by a PCI SSC-approved Qualified Security Assessor (QSA).
- Do a quarterly network scan by ASV and an attestation of compliance form.
- Determine if you need to address any other requirements, such as a penetration test or internal scan, based on the SAQ type you fall into.
Level 3 Compliance
Merchants that process between 20,000 and one million transactions each year fit this level of PCI compliance. If you fit this level, you will need to do the following to ensure PCI compliance:
- Conduct an Annual SAQ and a quarterly network scan by an ASV.
- Complete an attestation of compliance form.
- Determine if you have to fulfill additional requirements based on your SAQ type, including the possibility of a penetration test or an internal scan.
Level 4 Compliance
For any merchant that does less than 20,000 transactions each year, they are considered Level 4 in their compliance requirements. The requirements for Level 4 compliance is very similar to Level 3 compliance based on the established guidelines:
- Have an Annual SAQ and a quarterly network scan completed by an ASV.
- Do an attestation of compliance form.
- Check for any additional requirements related to your SAQ type.
To make sure you are doing everything you can to meet all the compliance requirements, you need to verify your transaction volume from the past 52 weeks with the help of your acquiring bank. Once you know what level you are then you need to make sure you are following all the PCI requirements for that particular level. You may need to seek the assistance of an approved vendor or payment processing partner to conduct the validation. Once the validation is complete and sent to the acquiring bank, that bank will then pass on your compliance status to the various card brands you work with.
Because PCI compliance can be such a complex issue, especially for those merchants that must be Level 1 or Level 2 compliant, it's a good idea to consult with a Qualified Security Assessor to get recommendations on what you can do to ensure that your business is completely compliant. It's important that you understand the compliance process and how cards move in and out of your network to track how security issues can arise along the way. Lastly, you want to document everything related to PCI compliance throughout your policies and procedures to stay on top of security and help your employees understand what's involved.
Finding PCI Compliance Assistance
When seeking assistance with PCI compliance for your business, make sure you research how each payment processing partner you are considering helps you fulfill all the compliance requirements for your level of transaction processing. You should not have to pay to become compliant by having to contend with monthly PCI fees. This feature should just be included with your merchant account because you have to be compliant.
Seek a payment processing partner that takes the time to explain compliance requirements and keeps you updated on any changes to those requirements. After all, it's not just about getting service, but it also helps to be educated so you can make the most informed decisions about your business as possible and ensure a completely secure payment process.