PCI DSS Compliance - Requirements and Merchant Levels

If your organization or business accepts credit card payments from any of the five major credit card brands; American Express, VISA, Mastercard, Discover and JCB then you are expected to be PCI Compliant within a range of levels depending on the volume of your transactions. Our past blog outlined what is PCI DSS and evaluating if your business needs PCI DSS compliance. 

In this blog, we share a breakdown of the PCI DSS requirements and the various merchant levels 

The 12 requirements of PCI DSS Compliance

There are 12 overarching requirements of PCI DSS Compliance designed to protect cardholder data, they are as follows:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

What are the levels of PCI Compliance?

There are four unique levels of PCI Compliance that merchants are divided into based on card transaction volume (credit, debit & prepaid) per annum. In the event of a merchant suffering a data breach they may be forced to increase their level of compliance. 

Level 1 Merchants 

This level consists of merchants that process over 6 million transactions over a period of 12 months through all channels (card present, card not present, eCommerce) This also includes global merchants who process 6 million transactions across all their regions, which may cause the entire business to comply. 

If you are a level 1 merchant you need to:

  1. Complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
  2. Complete quarterly network scans by an Approved Scanning Vendor (ASV)
  3. Complete the Attestation of Compliance Form​

Level 2 Merchants 

This level consists of merchants who process between 1 and 6 million transactions over a period of 12 months through all channels (card present, card not present, eCommerce)

If you are a level 2 merchant you need to:

  1. Complete an Annual Self-Assessment Questionnaire (SAQ)
  2. Complete a quarterly network scan by an ASV
  3. Complete the Attestation of Compliance Form

Level 3 Merchants 

This level consists of merchants who process 20,000 to 1 million transactions over a period of 12 months via eCommerce processing methods.

If you are a level 3 merchant you need to:

  1. Complete an Annual Self-Assessment Questionnaire (SAQ)
  2. Complete a quarterly network scan by an ASV
  3. Complete the Attestation of Compliance Form

Level 4 Merchants

This level consists of merchants who process up to 1 million transactions annually via all channels (card present, card not present and eCommerce) and doesn’t process more than 20, 000 transactions annually via eCommerce. Similarly a merchant who processes under 20, 000 transactions annually via eCommerce can also qualify for level 4 status. 

If you are a level 4 merchant you need to: 

  1. Complete an Annual Self Assessment Questionnaire
  2. Complete a quarterly network scan by an ASV
  3. Complete the Attestation of Compliance Form

Identifying what merchant level your organization comes under

Merchants can consult with their merchant services provider to help assign a level of PCI Compliance or utilise the tools provided to them by their merchant. 

Organizations that fall under levels 1-3 tend to have compliance requirements of higher complexity, mainly because of the size and nature of their business. Many organizations that fall under these levels tend to take the help of internal IT and compliance teams to implement and monitor their compliance programs.  

On the other hand, smaller to medium-sized businesses fall under the level 4 category. Unlike the latter levels, level 4 merchants may find their compliance requirements to be simpler. However, without the help of an internal IT infrastructure (assuming your business doesn’t have one) small to medium-sized businesses can find it challenging to meet their compliance requirements. 

About the SAQ Questionnaire

A Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data. The questionnaire includes a set of yes or no questions for each PCI DSS requirement. There are a number of questionnaires to meet different merchant environments. 

Is your business looking to get PCI DSS compliant? StickmanCyber's PCI DSS compliance service deploys a 5-step methodology to help you build trust with your customers and guarantee secure transactions with PCI DSS Compliance.

Similar posts

Get notified for new cybersecurity insights

Subscribe for a weekly round-up of the latest in cybersecurity - from knowing the potential threats, to best practices, to insights on how to manage, evolve and strengthen your cybersecurity posture - we'll share it all.