If your organization stores, processes, or transmits cardholder data, then you must comply with PCI DSS(Payment Card Industry Data Security Standards). PCI DSS is a compliance framework that protects cardholder data from unauthorized use.
The PCI security standards framework lists six objectives through 12 security requirements for eligible businesses to implement to ensure the integrity of user card data.
The compliance requirement for every organization is different and is based on the annual transaction volume of the business. The different set of requirements based on the volume-based classification method is called PCI DSS Levels.
In this article, we talk about four levels of PCI DSS, the need for these levels, and how you can determine the PCI DSS Level of your business. We also share insights on the Self Assessment Questionnaire (SAQ).
What are PCI Compliance Levels?
PCI DSS is not a flat framework. We mean that every organization that falls in the scope of this framework is not required to apply the same controls and procedures to become/remain compliant. Organizations’ compliance Levels are classified based on the number of annual transactions processed in a year. And based on the Level, a business gets classified as they are required to implement the necessary controls and policies required for that Level.
A Level 1 has the most comprehensive list of things to do to ensure compliance, while the process for a Level 4 company to become PCI DSS compliant is comparatively simpler.
Read on to know PCI DSS Levels and the compliance requirements for each Level further in the article.
Another factor that influences the Level of a business is its breach history. Regardless of the transaction volume business processes, if they have been a victim of a breach incident in the recent past, they automatically get bumped up to ‘Level 1’ status and are expected to implement all the requirements of a Level 1 business to remain compliant.
Why do Organizations need to follow PCI DSS Levels of Compliance?
The PCI Levels for merchants outline the requirements an organization is expected to implement to become/remain PCI DSS compliant. Unfortunately, the PCI Council, the regulatory body of PCI DSS, does not have the resources to audit every organization that processes, stores, or transmits card payment data. So, in the event of a breach, the PCI council audits the organization that was breached and verifies if they were complying with all the listed requirements to ensure data integrity and security. If compliance violation is detected, organizations are charged hefty administrative penalties. In some cases, their access to process card-based transactions is revoked.
PCI DSS compliance Levels help businesses with the classification and lists the security requirements and policies required for their business to become/remain compliant.
What Are The 4 PCI DSS Levels?
The four PCI DSS Levels are:
If a business processes over six million transactions a year, it is a Level 1 business. This definition is rudimentary as other qualifying factors also come into play to decide if a business is Level 1. You are a Level 1 business, if either one of the all following or all the below listed criteria are met.
Here’s a comprehensive list to identify if your business is a Level 1 business:
- You process over 6 million VISA, MasterCard, and Discover transactions in a year
- You process over 2.5 million transactions of American Express in a year
- You process over 1 million JCB transactions in a year
- You have been identified as a Level 1 business by any other card provider
- You have been a victim of a cyber security incident in the recent past that led to the loss of customer data
A common misconception is that to be a Level 1 business, they must process transactions actively. Well, that’s not the case. If you are a business that only stores that transaction information, you’ll still have to be Level 1 compliant.
Firewall service providers, cloud storage service providers, and others who passively participate in this fall under this scope.
Any business that processes 1 – 6 million transactions annually is tagged as a Level 2 business for simplicity and convenience.
Like Level 1, Level 2 also has other qualifiers. Here’s the list:
- You process 1 to 6 million card-based transactions in a year of VISA, MasterCard, and Discover
- You process over 50,000 to 2.5 million transactions of American Express in a year
- You process less than 1 million JCB transactions in a year
In everyday terminology, a Level 3 business processes less than 1 million transactions annually. However, like the other two Levels, there are additional qualifiers for a Level 3 business you should know about.
For example, you are a Level 3 business if:
- You process up to 1 million VISA-based e-commerce transactions in a year
- You process less than 20,000 MasterCard-based e-commerce transactions a year and less than 1 million total MasterCard transactions in a year.
- You process 20,000 to 1 million Discover based e-commerce transactions in a year
- You process less than 50,000 American Express transactions annually
Did you know that JCB does not identify Level 3 status? Any organization processing less than 1 million JCB transactions in a year must comply with the PCI DSS Level 2 requirements.
Any business that processes under 20,000 e-commerce transactions of VISA or Mastercard in a year or under 1 million total transactions for VISA or MasterCard in a year is classified as a Level 4 business.
It is important to note that, for a business to maintain a Level 4 status, it should not have been breached or become a victim of data theft in the recent past.
How Can Merchants Determine Their PCI DSS Level?
If you aren’t still sure of the extent of transactions in your business processes, you can conduct an internal audit dating back to the last 52 weeks and examine that data to come up to a conclusion.
You can also hire an external auditor for this job to ensure that no data is missed and the conclusion of your PCI DSS Level is accurate.
The last thing you want is to become non-compliant with PCI DSS by implementing incorrect compliance requirements.
What is The Self-Assessment Questionnaire?
Filling out a Self Assessment Questionnaire (SAQ) is a mandatory step in the PCI compliance process. However, how a business fills out an SAQ depends on the nature of the transactions they process. For instance, if a business processes e-commerce transactions and does not store, process, or transmit card information in their business environment, they are required to fill out the SAQ- A. Likewise, if SAQ-B is for those merchants who have no electronic storage records of the data they process and use a wired dial-out terminal for their transactions.
Types of SAQs Depend on The Organization’s Merchant Level
Based on the nature of transactions in your business process, you are required to fill out an SAQ. Here’s an infographic detailing the different types of SAQs to help you identify the one that applies to your business.
To become PCI DSS compliant, every organization processing card transactions must fill out an SAQ, conduct quarterly scans of their business environments, and produce an Attestation of Compliance (AOC).
A Level 1 business will need to get its assessments done either by an external QSA (Qualified Security Assessor) or by an ISA ( Internal Security Assessor). The auditor assesses the scope of compliance and evaluates if the requirements are met and if the necessary controls and policies are implemented.
After the audit, they produce a Report Of Compliance (ROC), which is then sent to the PCI Council for approval.
For any business that qualifies as Level 2-4, the process is less intensive compared to a Level 1 business. Level 2-4 companies can complete their assessment themselves. That said, Level 2 organizations are still required to produce a ROC.
Find out how Sprinto Can Help You Become PCI DSS Compliant
The PCI DSS compliance process is exhaustive and time-intensive. Hundreds of controls must be implemented based on your business needs and processes. And doing this yourself can result in non-compliance, loss of productivity, and make the process expensive.
Did we mention there is a chance that you could be non-compliant after all the effort, time, and financial resources you spent to make your business PCI compliant?
Is there an easier way to approach this? Yes, there is—the Sprinto way.
Sprinto is purpose-built to automate all the monotonous and time-taking tasks involved in becoming PCI DSS compliant. Sprinto integrates with your business environment to give you visibility of your complete business environment to identify existing vulnerabilities and predict future occurrences. Sprinto’s automation process ensures that we do the heavy lifting in your compliance process while you focus on what matters to you the most – Business Development.
That’s not all. After you’ve implemented all the PCI DSS requirements, Sprinto helps you continuously monitor your systems to track your compliance posture and ensure that any new critical error is addressed immediately.
Talk to our experts today to understand how Sprinto can make your compliance journey a breeze.
What is Level 4 PCI compliance?
Level 4 PCI compliance is the set of rules laid out by PCI DSS that applies to all businesses that process less than 20,000 e-commerce-based MasterCard or VISA transactions a year or less than 1 million VISA transactions in a year.
What is a Level 3 merchant?
A Level 3 merchant processes less than 1 million VISA or MasterCard-based e-commerce transactions in a year or processes 20,000 to 1 million MasterCard transactions a year.
Level 3 merchants also process less than 50,000 American Express transactions in a year or process between 20,000 to 1 million Discover transactions annually.
Who defines merchant Levels for PCI?
The PCI council has laid out the guidance required to help merchants or businesses in identifying the Level they fall into.