PCI compliance can seem like one more burden on payment processors, but maintaining compliance offers security-related benefits to courts and government agencies.

PCI Compliance 101

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed by an independent body to ensure that any company that accepts, processes, stores, or transmits credit card information does so in a secure manner. Developed in 2006, the PCI standard is designed to make sure all credit card processors are held to a security baseline.

Understanding the PCI Levels

The PCI defines levels of compliance to determine an organization’s risk and appropriate security requirements based on their combined transaction volume over a 12-month period—including credit, debit, and prepaid cards. The four levels of compliance are:

PCI Compliance Level 1
More than 6 million Visa and/or Mastercard transactions processed per year

Validation Requirements:

  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

PCI Compliance Level 2
1 million to 6 million Visa and/or Mastercard transactions processed per year

Validation Requirements:

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Compliance Level 3
20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year

Validation Requirements:

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Compliance Level 4
Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year as well as all other companies that process as many as 1 million Visa transactions per year

Validation Requirements:

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer

An organization’s level of compliance is determined by card brands based on processing volume. Thus, a service provider might start at level 4 and over time become a level 1 provider as a result of an increase in the number of transactions processed; maintaining compliance with PCI DSS is crucial.

The Security Benefits of PCI Compliance

In addition to being good security practices, PCI compliance can help courts and government agencies ensure they are maintaining a secure environment. The PCI standard facilitates continual identification of developing and ongoing threats and vulnerabilities, helping your organization stay safe from data breaches.

Consider, for example, the Home Depot data breach where hackers used malware-infected software to steal millions of customer credit and debit card numbers. Proper implementation of PCI standards, which require routine vulnerability scans among additional security processes, would have saved the company the $19.5 million in settlement costs as well as the brand damage done. Additional PCI protocols that help protect from malware and other attacks include requirements for:

  • Proper implementation of role-based security as well as user authentication
  • Secured connections for sensitive data transmissions
  • Detailed logging for audit reporting
  • Employment of strong encryption

Do you know the PCI compliance level of your service provider?

Compliance requirements can be overwhelming but partnering with the right payment services provider, government agencies can rest assured their payment transaction processes are compliant and secure. In addition, seeking out a payment services provider who qualifies as a “PCI Compliance Level 1” means you do not have to worry about finding and vetting another payment services partner should your annual transaction volume increase over time. You’re covered, secure, and compliant.