Depending on the size of your business and the number of transactions you process, you may have to meet differing levels of criteria for proving your PCI compliance.
In this article, we’ll explore the four levels of PCI compliance, as well as what you’ll need to do to satisfy the reporting requirements that pertain to your merchant classification.
One thing to note before we begin: while the following levels mostly serve to classify businesses into different size groups, PCI compliance affects companies of all sizes. Just because you may not meet a given reporting requirement threshold doesn’t mean that security just goes out the window. You still need to take precautions to preserve cardholder data even as the reporting and analysis of those precautions and your infrastructure may vary.
So with that in mind, let’s look more closely at the four different PCI compliance levels (for more details, head over to Mastercard’s website, which explores these levels in some detail).
Level 4 is the lowest level of PCI compliance, but it still requires you to take steps to preserve your digital integrity.
If you have less than 20,000 transactions involving a single credit card provider type, such as Mastercard or Visa, in a year, then you are a Level 4 merchant. This means that all you’re required to do to verify PCI compliance is to take a Self-Assessment Questionnaire.
Rather conveniently, the PCI Security Standards Council has made these questionnaires readily available on their website, and you can find them here.
You’ll fill out a different questionnaire depending on the type of business you are. For instance, if you’re an E-commerce provider who relies on third parties for your payment processing, you’re going to fill out a slightly different questionnaire than a business owner with physical locations who must establish an IP connection from the payment terminal to the payment processor.
Visit the PCI Security Standards Council’s website to determine your required questionnaire, and follow the steps to gauge your compliance levels. You likely don’t need to report this information, nor are you technically required to consult outside expertise in order to verify your compliance; however, if you’d like to do so, you certainly can, and it will no doubt go a long way toward protecting your brand security, even if your size doesn’t automatically trigger additional requirements.
You are, after all, still required to be PCI compliant, even if you don’t have organizations breathing down your neck to verify your compliance. And it might be a good idea to ask your bank if they have any specific reporting requirements, even for Level 4 providers, just to err on the side of caution.
Level 3 applies to all business with less than 1 million, but greater than 20,000, transactions of a single card provider in a year.
At this level, you have to follow the same steps of a Level 4 provider; namely, filling out the relevant Self-Assessment Questionnaire. In addition, having this many transactions also triggers a separate reporting requirement.
Once you’ve determined your PCI compliance level using the questionnaire, you’re required to report this data to the bank that processes your credit card payments. The bank will then relay the information to the relevant card providers, so that at any given moment, there’s a chain of PCI compliance verification in place.
As with a Level 4 business, you’re not technically required to engage an outside party to vet your PCI compliance efforts. But if you do, you’ll consult what’s known as a Qualified Security Assessor, who will analyze your business’s PCI compliance efforts in what’s known as a PCI DSS Assessment. They will use their findings from this assessment to put together a Report on Compliance.
This is not required, but because you’ve graduated to a higher threshold of credit card transactions, remember that the risk to your brand security can also increase. Relying on an expert Quality Security Assessor limits the possibility of error and can help you take charge of cybersecurity even when it’s not mandated that you do so.
The Level 2 requirements are very similar to Level 3, and pertain to businesses with 1 to 6 million transactions in a given year.
If your business type puts you in the category of the A, A-EP, or D Self-Assessment Questionnaires, then you are required to have a Qualified Security Assessor, or another type of expert known as an Internal Security Assessor, fill out the PCI DSS Assessment and subsequent Report on Compliance.
All other merchant types aren’t required to take this additional step, but again, doing so provides a certain degree of protection and confidence that you may not get otherwise.
A Level 1 merchant is any business that’s processing more than 6 million card transactions per year.
For these merchants, you have no choice about your type of assessment. You are required to take part in the PCI DSS Assessment from a qualified vendor, and you have to do this every year.
And really, why wouldn’t you want to? If you’re that large of a company, you ought to do everything you can to ensure your customers’ cardholder data is secure. The cost is minor in comparison to the cost of a breach and its attendant hit on your brand’s reputation.
There’s also one other type of business that falls into this category, and that’s any company, regardless of size, that has had accounts compromised because of a hack. This rule is put in place to ensure that the conditions that led to such an attack can be protected against in the future.
Where Do You Stand?
When you consider the different levels of PCI compliance, the different types of questionnaires, and the added possibility of a compliance report from a certified security professional, boosting security quickly is a more complex endeavor than it may initially seem.
If you’d like help determining the category your business falls into, or if you’d like to assess your current PCI compliance efforts, contact Logic Shield. We’ll provide you with a free gap analysis so you can see where you stand and begin to take the steps necessary to protect your business.