The Ultimate Guide to PCI DSS Compliance Levels and Requirements

Jram February 05, 2025

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. PCI DSS compliance is mandatory for any organization that handles payment card data, and the level of compliance required depends on the volume of transactions the organization processes annually.



PCI DSS Compliance Levels

There are four PCI DSS compliance levels, which are determined by the number of payment card transactions an organization processes annually. These levels apply to merchants and service providers separately. The higher the transaction volume, the more stringent the compliance requirements.


PCI DSS Compliance Levels for Merchants
Merchants are organizations that accept payment cards for goods or services. The four levels are:

Level 1:

  • Transaction Volume: Over 6 million transactions per year.
  • Requirements:
    • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA).
    • Quarterly network scans by an Approved Scanning Vendor (ASV).
    • Attestation of Compliance (AOC) form.
  • Who It Applies To:
    • Large enterprises with high transaction volumes.
    • Merchants that have suffered a data breach or attack resulting in compromised cardholder data.


Level 2:

  •   Transaction Volume: 1 to 6 million transactions per year.
  •   Requirements:
    • Annual Self-Assessment Questionnaire (SAQ).
    •  Quarterly network scans by an ASV.
    • Attestation of Compliance (AOC) form.

   Who It Applies To:

  •      Mid-sized merchants.


Level 3:

  • Transaction Volume: 20,000 to 1 million e-commerce transactions per year.
  • Requirements:
    • Annual Self-Assessment Questionnaire (SAQ).
    • Quarterly network scans by an ASV.
    • Attestation of Compliance (AOC) form.
  • Who It Applies To:
    • Small to medium-sized e-commerce merchants.


Level 4:

  • Transaction Volume: Fewer than 20,000 e-commerce transactions or up to 1 million non-e-commerce transactions per year.
  •    Requirements:
    • Annual Self-Assessment Questionnaire (SAQ).
    • Quarterly network scans by an ASV (recommended but not always mandatory).
    • Attestation of Compliance (AOC) form.
  •    Who It Applies To:
    • Small merchants with low transaction volumes.

 

PCI DSS Compliance Levels for Service Providers
Service providers are entities that process, store, or transmit cardholder data on behalf of other organizations (e.g., payment processors, hosting providers). The levels are slightly different:

Level 1:

  • Transaction Volume: Over 300,000 transactions per year.
  • Requirements:
    • Annual Report on Compliance (ROC) by a QSA.
    • Quarterly network scans by an ASV.
    • Attestation of Compliance (AOC) form.
  •    Who It Applies To:
    • Large service providers with high transaction volumes.


Level 2:

  • Transaction Volume: Fewer than 300,000 transactions per year.
  • Requirements:
    • Annual Self-Assessment Questionnaire (SAQ).
    • Quarterly network scans by an ASV.
    • Attestation of Compliance (AOC) form.
  •    Who It Applies To:
    • Smaller service providers.


Key Requirements of PCI DSS
Regardless of the compliance level, all organizations must adhere to the 12 core requirements of PCI DSS:

  1. Install and Maintain a Firewall:
    • Protect cardholder data by using firewalls to restrict access.
  2. Do Not Use Vendor-Supplied Defaults:
    • Change default passwords and settings on systems and software.
  3. Protect Stored Cardholder Data:
    • Encrypt stored cardholder data and minimize data retention.
  4. Encrypt Transmission of Cardholder Data:
    • Use strong encryption (e.g., TLS) for data transmitted over public networks.
  5. Use and Regularly Update Antivirus Software:
    • Protect systems from malware.
  6. Develop and Maintain Secure Systems:
    • Regularly update and patch systems to address vulnerabilities.
  7. Restrict Access to Cardholder Data:
    • Implement role-based access control (RBAC) and least privilege principles.
  8. Assign a Unique ID to Each Person with Computer Access:
    • Ensure accountability by assigning unique user IDs.
  9. Restrict Physical Access to Cardholder Data:
    • Secure physical access to systems and data.
  10. Track and Monitor All Access to Cardholder Data:
    • Implement logging and monitoring to detect suspicious activity.
  11. Regularly Test Security Systems and Processes:
    • Conduct vulnerability scans, penetration tests, and security assessments.
  12. Maintain an Information Security Policy:
    • Develop and enforce a comprehensive security policy.


Steps to Achieve PCI DSS Compliance

  1. Determine Your Compliance Level:
    • Identify your transaction volume and corresponding compliance level.
  2. Complete the Required Documentation:
    • For Level 1: Submit a Report on Compliance (ROC).
    • For Levels 2-4: Complete the appropriate Self-Assessment Questionnaire (SAQ).
  3. Conduct Vulnerability Scans:
    • Perform quarterly network scans using an Approved Scanning Vendor (ASV).
  4. Implement Security Controls:
    • Address all 12 PCI DSS requirements to secure cardholder data.
  5. Submit Compliance Reports:
    • Provide the required documentation (e.g., ROC, SAQ, AOC) to your acquiring bank or payment brand.
  6. Maintain Ongoing Compliance:
    • Regularly monitor, test, and update security controls to ensure continuous compliance.

Consequences of Non-Compliance
Failing to comply with PCI DSS can result in:

  • Fines: Issued by payment brands or acquiring banks.
  • Increased Transaction Fees: Non-compliant organizations may face higher processing fees.
  • Data Breaches: Non-compliance increases the risk of breaches and associated costs.
  • Loss of Trust: Customers may lose confidence in the organization’s ability to protect their data.
  • Termination of Merchant Accounts: Acquiring banks may terminate relationships with non-compliant merchants.

Tools and Resources for PCI DSS Compliance

  1. Self-Assessment Questionnaires (SAQs):
    • Different SAQs are available depending on the organization’s payment processing methods.
  2. Approved Scanning Vendors (ASVs):
    • Use ASVs to perform required vulnerability scans.
  3. Qualified Security Assessors (QSAs):
    • Engage QSAs for Level 1 compliance assessments.
  4. PCI Security Standards Council (PCI SSC):
    • Access official guidelines, templates, and resources.

By understanding and adhering to the appropriate PCI DSS compliance level, organizations can protect cardholder data, reduce the risk of breaches, and maintain trust with customers and partners.

Tags
Jram

Posted by Jram