PCI Compliance Levels: 4 Merchant Levels Explained
The regulation of payment cards is relatively new, but compliance with the Payment Card Industry (PCI) standards is vital.
The origins of PCI standards were in the 1990s, really the dawn of the modern era of computers. The security standards were developed because of the serious incidence of credit card fraud once credit cards started being used for internet payments.
Between 1988 and 1998, Visa and MasterCard reported credit card losses of $750 million. Although this is a sizable amount of money, it is a small percentage of the hundreds of billions of dollars in transactions recorded annually.
History of PCI Security Standards Council (SSC)
As increasing numbers of merchants began rolling out online commerce websites with poorly secured data systems, the rate of credit card fraud increased dramatically, and the increasing rate of fraud prompted the development of industry security standards.
In 2000, online credit card fraud grew to $1.5 billion, and the rate of fraud would nearly triple between 2000 and 2010. In 2001, Visa and other credit card brands struggled to enforce security guidelines because of a lack of uniformity.
By December 15, 2004, PCI DSS 1.0 made its debut as the first unified security standard supported by all five of the major credit card brands. Compliance with these security standards became mandatory for merchants who accepted online credit card payments through any of the signatory credit card brands.
In September 2006, the standard was refined as Version 1.1, mandating that all application code be professionally reviewed for vulnerabilities, and or a web application firewall must be installed in front of the website.
In addition, the five major credit cards formed the SSC to manage the enforcement of standards.
The PCI certification system was not designed by the government, but by a self-governing body of the credit card industry itself, for its own protection against losses from fraudulent use of credit cards online.
The most recent version of PCI DSS is version 3.2.1 released in May of 2018.
PCI compliance levels for merchants
Full compliance with PCI SSC Version 3.2.1 was mandated on February 1, 2018, so that organizations had the time to prepare full implementation. The newest PCI SSC version was written to clarify what it really means to be PCI compliant.
Part of compliance is a process to fully validate that merchants actually have the required processes in place. In previous versions, many organizations treated compliance as an annual ritual without really having the required mechanisms in place.
Compliance is based on four main areas of practice with a large number of verifiable actions within them.
Here are the four merchant levels of PCI Compliance:
Merchant level 4
Merchant accepts/processes less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually. Validation includes a SAQ (or Self-Assessment Questionnaire), quarterly network scan by an ASV (Approved Scanning Vendor), and an Attestation of Compliance Form.
Merchant level 3
Merchant accepts/processes 20,000-1 million Visa or MasterCard online transactions annually. Validation includes a SAQ, quarterly network scan by an ASV and an Attestation of a Compliance Form.
Merchant level 2
Merchant accepts/processes 1 million-6 million Visa or MasterCard online transactions annually. Validation includes a SAQ, quarterly network scan by an ASV, and an Attestation of a Compliance Form.
Merchant Level 1
Merchant accepts/processes over 6 million Visa transactions per year, has a data breach that resulted in account data compromise, and/or is identified as Level 1 by Security Standards Council. Validation includes a ROC (Report On Compliance) by a QSA (Qualified Security Assessor), a quarterly network scan by an ASV, and an Attestation of a Compliance Form.
Enforcing PCI compliance
The PCI Security Standards Council is an organization of merchants, banks, processor companies, software developers, and point of sale vendors associated with the credit card and payment card industry. The council serves as an external advisory organization in the building of PCI SSC standards.
Merchants who process, store, or transmit cardholder data are required, by the credit card companies themselves, to have external checks on their network vulnerability by approved scanning vendors.
A number of private organizations offer compliance assistance on an annual basis. These organizations, largely in the cybersecurity sector, provide the appropriate inspections and consulting services, configuration hardening and monitoring, file integrity, patching, and user monitoring to be able to testify to a merchant’s PCI compliance level.