A Guide to PCI Compliance Requirements and Levels

Jan 6, 2023

Accepting credit card payments is a must for today’s businesses. The benefit of faster, easier payments also comes with the responsibility to protect sensitive payment information. Each year, millions of consumer data records are exposed in data breaches, putting consumers, businesses, and the payment industry at risk.

PCI Compliance Overview

To create a standard of security for companies that handle credit card information, five major card brands—Visa, Mastercard, American Express, Discover, and JCB—created the global security standards for protecting cardholder information.

These 12 basic requirements are grouped in 6 categories and known as Payment Card Industry Data Security Standard (PCI DSS). All companies that accept, process, store, or transmit credit card information are expected to follow these standards to establish and maintain a reliable and secure payment processing environment. Companies who follow these standards are considered PCI compliant.

While PCI compliance isn’t a legal requirement, following the standards protects your business from data leaks and allows you to avoid being charged for non-compliance.  

Benefits of PCI Compliance

Understanding and meeting PCI Compliance standards can be challenging, but protecting consumer information is worth the effort. 

  • Improved security. Following PCI DSS allows businesses to improve the security of their systems and protect sensitive payment information from being accessed or stolen.
  • Reduced risk of data breach. As digital attackers get more sophisticated, complying with PCI DSS helps businesses reduce the risk of data breaches, which can have serious consequences for businesses, including financial losses, legal liabilities, and damage to reputation.
  • Building customer trust. Showing your commitment to protecting consumer payment information helps you build trust and improve your reputation.
  • Simplified compliance. Your business have other security and regulatory requirements that overlap with with PCI DSS. Bringing your business to PCI compliance standards helps you comply with other mandates and vice versa.

What’s Required for PCI Compliance?

Payment data can be stolen from multiple places within the payment flow including credit card readers, payment databases, networks, and paper records. PCI DSS fall within six broad categories to ensure your entire organization is secure.

Build and maintain a secure network1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program5. Protect all systems against malware and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.
Implement strong access control measures7. Restrict access to cardholder data by business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly monitor and test networks10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes. 
Maintain an information security policy12. Maintain a policy that addresses information security for all personnel.

Each of the 12 requirements has additional sub-requirements that follow the latest best practices. The PCI Security Standards Council outlines a six-milestone approach to reaching full compliance.

PCI Compliance Levels

Visa and Mastercard have outlined four PCI compliance levels with different requirements based on annual transactions. Mastercard also categorizes businesses based on whether they have additional security risk, i.e. having a previous data breach.

Compliance LevelApplies ToRequirements
Level 11. Merchants processing over 6 million Visa or Mastercard transactions per year.
2. Merchant who’ve had a previous data breach.
3. Merchants assigned to Level 1 by another card brand.
✓ File a Report on Compliance by Qualified Security Assessor (also known as a Level 1 onsite assessment) or internal resource if signed by an officer of the company.
✓ Submit to quarterly network scans by an Approved Scanning Vendor (ASV).
✓ Submit an Attestation of Compliance Form.
Level 21. Merchants processing between 1 million and 6 million Visa or Mastercard transactions per year.
2. Merchants assigned to Level 2 by another card brand.
✓ Complete a Self-Assessment Questionnaire. The SAQ you complete depends on how your payments are integrated.

✓ Submit to quarterly network scans by an ASV.
✓ Submit an Attestation of Compliance Form.
Level 31. Merchants processing between 20,000 and 1 million online transactions each year.
2. Merchants assigned to Level 2 by another card brand.
Same as Level 2.
Level 4All other merchants, e.g. those processing fewer than 20,000 transactions per year, or merchants who don’t accept online payments and process fewer than 1 million transactions per year.Same as Level 2.

You may only have to validate your PCI compliance once a year, but focusing on maintaining security standards should be a continuous process. This way your customers and your business are protected all year long.

Sources

  1. PCI Security Standards Council. About Us.
  2. Visa. PCI compliance: Keeping customer data safe.
  3. Mastercard. What merchants need to know about securing transactions.

Related Posts