A Guide to PCI Compliance Levels
2 min read
Originally Published on
As a vendor processes more debit and credit card transactions, their compliance with Payment Card Industry (PCI) requirements become more stringent to protect your data security. These compliance levels range from Level 4 for enterprises that process relatively few transactions up to the highest compliance rating, Level 1, for those enterprises that process the most transactions and therefore have the greatest responsibility to protect your data.
The PCI Security Standards Council (PCI SSC) produces a variety of Self-Assessment Questionnaires (SAQs) to help enterprises of all sizes determine whether or not they are compliant with the requirements applicable to them. Many enterprises are further required to submit to a PCI security scan performed by an Approved Scanning Vendor (ASV) approved by the PCI SSC that consists of vulnerability scans or penetration testing, as appropriate.
Level 4
Merchants that process fewer than 20,000 e-commerce or fewer than one million real-world transactions annually are required to submit the relevant SAQs on a yearly basis, with the possibility of undergoing a quarterly PCI scan.
Level 3
For merchants processing between 20,000 and 1 million e-commerce transactions annually, they too must submit the SAQs relevant to their level on a yearly basis and may be subject to quarterly PCI scans.
Level 2
Merchants processing between 1 and 6 million real-world debit and credit card transactions annually must also submit yearly SAQs relevant to their environment and may be subject to quarterly PCI scans.
Level 1
For those merchants that process more than 6 million real-world debit and credit card transactions annually, they must undergo an internal audit, conducted by an authorized PCI auditor, on a yearly basis. In addition, they submit to vulnerability scans and penetration tests on a quarterly basis by an Approved Scanning Vendor in order to retain their Level 1 Compliance.
What does Level 1 Compliance Mean For Me?
A vendor that is able to achieve and maintain Level 1 PCI Compliance not only follows the most stringent security protocols in the industry but processes enough transactions to have the greatest experience in navigating existing and emerging payment security infrastructure.
References
Ritacca, J. (2021, April 6). A Guide to PCI Compliance Levels [web log].
Ritacca, J. (2021, March 24). PCI Compliance: What it means and how it’s evaluated [web log].
Joe Ritacca
Director of Research and Development, Precise ͵ÅÄ͵¿ú