What You Need to Know About the 4 PCI DSS Levels?

Unsure about which PCI DSS level your organization falls under? Or confused about which PCI DSS obligations are relevant for your organization? If so, don’t be concerned – we have got you covered. In this article, we’ll discuss the 4 main PCI DSS levels and how you can determine which is appropriate for your organization.

Not all organizations that manage payment card data/cardholder data bear the same level of security risks or process an equal volume of card transactions—some may process millions of transactions every year, while others may just process a handful of them.

To accommodate these differences, the PCI Security Standard Council introduced PCI DSS levels—categories that merchants are classified into based on the volume of transactions they process annually. These transactions can be credit card transactions (credit cards used for transactions—VISA, MasterCard, Discover, American Express, & JCB), no-card transactions, or e-commerce transactions.

Note: Merchants are none other than organizations that directly handle, store, and process cardholder or payment data.

In fact, the PCI council ensured that each level mandates organizations to solely follow the security requirements that are relevant/applicable to them (i.e., align with their operational scale) so that they don’t get overburdened by meeting unnecessary PCI DSS requirements.

Now, you may ask — ‘What are these levels of PCI compliance?’ ‘Which organizations fall under them?’ ‘What requirements do each level mandate to meet?’ Let’s find out.

Detailed Break Down Of 4 PCI DSS Levels 

Below, we’ve detailed 4 main PCI DSS levels created by the PCI DSS Security Standard Council (PCI DSS SSC):

Note: PCI compliance requirements become more stringent as the organization's transaction volume increases. In other words, the higher the volume of transactions, the stricter the security rules!

1. PCI DSS Compliance Level 1

PCI DSS Level 1 category is for organizations/merchants processing — over 6 million VISA, MasterCard, and Discover card-based transactions, over 2.5 million American Express transactions, and over 1 million JCB transactions every year. For example, large retail chains like Walmart, Ikea, and Target that operate in multiple countries, as well as Amazon and eBay, fall under PCI DSS merchant level 1.

What mandatory requirements does an organization classified under such PCI DSS levels need to follow?

Here’s a list of requirements organizations classified under such PCI DSS levels must fulfill.

• Organizations that fall under such PCI DSS levels are obligated to undergo an audit conducted by a PCI-approved external third-party auditor known as a qualified security assessor (QSA). These auditors perform an in-depth on-site review of the organization’s security policy and practices and detail the findings in an annual audit report on compliance (RoC).

Third-party auditors sometimes provide suggestions to improve certain security controls in the RoC. As an organization, you can work on those suggestions before the final official PCI DSS compliance audit.

Note: You need to present RoC to PCI DSS auditors to attain PCI DSS compliance certification.

• Organizations classified as such PCI DSS levels also need to hire an approved scanning vendor (ASV) to conduct quarterly network scans and annual penetration tests.
• That’s not all! Organizations assigned to such PCI DSS levels are also required to conduct an internal annual audit and detail all PCI DSS security requirements they have fulfilled in the attestation of compliance (AoC) form. Once complete, they must submit the form to the PCI DSS SSC for further review.

2. PCI DSS Compliance Level 2

Organizations that process between 1 and 6 million VISA, MasterCard, and Discover card-based transactions, over 50,000 to 2.5 million American Express transactions, and less than 1 million JCB transactions every year are tagged as PCI DSS merchant level 2. For example, mid-level organizations that operate across provincial lines or in active trade areas and restaurants fall under PCI DSS level 2.

What mandatory obligation does an organization classified under such PCI DSS levels need to meet?

Here’s a list of requirements that organizations at such PCI DSS levels must meet.

• Organizations that fall under such PCI DSS levels don't need to undergo an on-site audit conducted by a qualified security accessor or get RoC from them. Instead, they just need to conduct an internal assessment and outline all PCI controls, security practices, and policies they have implemented to keep sensitive cardholder data (CHD) secure in an annual self-assessment questionnaire (SAQ). Once completed, they must submit the SAQ directly to the PCI DSS SSC for further review.

Note: Self-assessment questionnaire forms are already available on the PCI DSS website; you can choose the one that is relevant to your organization.

• However, if your organization was a victim of a cyberattack or data breach in the previous year, you must undergo an on-site audit and get the annual RoC from a qualified security assessor—SAQ won't be valid.
• Just like PCI DSS Level 1, organizations that fall under Level 2 are also obligated to conduct quarterly network scans (which need to be performed by ASV) and penetration tests annually and submit an AoC form to PCI DSS SSC.

3. PCI DSS Compliance Level 3

The PCI DSS level 3 category is for organizations that process up to 1 million VISA e-commerce-based transactions, less than 20,000 Mastercard e-commerce-based transactions, around 20,000 to 1 million Discover e-commerce-based transactions, and less than 50,000 American Express transactions a year. For example, small to medium organizations that operate in local areas fall under PCI DSS merchant level 3.

Note: JCB international transactions are not processed by PCI DSS levels 3 and 4. This is because organizations at these PCI DSS levels don’t usually have the necessary security setup in place to meet JCB’s transaction processing standard.

What mandatory requirements does an organization classified under such PCI DSS levels need to fulfill?

Here’s a list of requirements that need to be met by organizations that come under such PCI levels.

• Organizations that fall under such PCI DSS levels are not obligated to undergo external/on-site audits performed by QSA and don’t have to present any RoC to attain PCI DSS certification. However, they do need to conduct an internal annual assessment and detail what PCI DSS security mandates they have fulfilled in SAQ A-EP, which they then have to submit to the PCI DSS SSC.
• Organizations classified under such PCI DSS levels are also required to hire an ASV and undergo a quarterly network scan. Additionally, they need to fill out the AoC form and present it directly to the PCI DSS SSC.
• However, organizations that fall under PCI DSS level 3 do not need to perform penetration tests annually (they can choose to voluntarily perform them—there are no restrictions).

4. PCI DSS Compliance Level 4

Organizations that process less than 20,000 VISA and Mastercard e-commerce-based transactions per year are labeled PCI DSS merchant level 4. For example, small clothing startups that process very few transactions annually come under PCI DSS level 4.

What mandatory requirements need to be met by an organization classified under such PCI DSS levels?

Here’s a list of requirements that organizations classified under such PCI DSS levels are bound to follow.

• Just like PCI compliance level 2 and 3 organizations, PCI DSS level 4 organizations don't need to undergo an on-site or external audit; they just have to conduct an internal assessment and submit SAQ A-EP directly to the PCI DSS SSC.
• Also, these organizations need to recruit an ASV to perform a thorough scan of their network four times a year; however, penetration tests are not necessary.
• Additionally, organizations classified under such PCI DSS levels simply need to outline their compliance strategy (such as what PCI DSS controls and practices they follow) and history of data breaches (if any) in the AoC form. After completing the form, they must submit it to the PCI DSS SSC for further review.

After going through the PCI DSS levels, you may have a few questions and opinions, such as– ‘How will I know how many transactions my organization processes in a year?’ Also, not every business actively engages in payment processing transactions every day or week. So, how will I figure out which of all the PCI DSS levels my organization falls under? Read on to find the answer.

How To Find Out Which PCI DSS Level Your Organization Falls Under?

Here are the steps you can follow to determine which PCI DSS compliance level category is appropriate for your organization:

Step 1: Gather Payment Transactions Information

If you already have transaction data (be it – card-based, non-card-based, or e-commerce transactions), then you can proceed to the next step. Whereas, if you don't have access to cardholder data/payment transaction volume information or are facing trouble accessing it, then you can directly gather this information from –

• Either card payment brands (VISA, American Express, Discover Discover Financial Services, Mastercard, or JCB) you accept for payments
• Or acquiring banks, also known as acquirers (banks that put the payment into your organization account when a credit card transaction is processed)

Step 2: Review Your Transaction Volume Data

Once you have gathered the transaction data, the next step is to review it. You need to evaluate the data thoroughly and find out which data are relevant (do not include the organization's personal transaction data). Then, calculate how many card transactions your organization has processed over the past year (which is 52 weeks).

Step 3: Compare With PCI DSS Levels Transaction Criteria

After you get the number of transactions you made in the last 52 weeks (annual transaction volume), compare it with the PCI DSS levels processed transactions criteria. By making this comparison, you will be able to easily identify which PCI DSS level your organization will be at.

Now that you are familiar with the PCI DSS levels and how to determine which PCI merchant level your organization falls under, let me address one common confusion you may encounter. 

Many organizations get confused about whether they fall under the PCI DSS merchants or service providers category. This confusion is quite understandable because both manage card payment data and follow practices set forth by PCI DSS to protect it. Although they perform almost similar tasks and are bound to comply with PCI DSS, they are completely different from each other. Here's how.

PCI Merchant Vs Service Provider: What’s The Difference?

PCI merchants are organizations that directly accept payment cards (like credit cards) as payment for goods or services. They also manage, store, and process the payment data/cardholder data themselves, with the help of their internal teams and software.

On the other hand, service providers are third-party entities that manage, store, and transmit payment or cardholder data on behalf of the merchant. They are not engaged in receiving payment data during customer payment transactions, which means they don’t directly receive payment data (they are not a part of the actual transaction process). Rather, they just process transaction data provided by merchants.

Also, unlike PCI merchants that have 4 PCI DSS levels (mentioned above), service providers just have 2 levels which are as follows:

• Service Provider Level 1: Third-party entities that store, process, or transmit over 300,000 card transactions per year are tagged as service provider level 1.
• Service Provider Level 2: Third-party entities that manage less than 300,000 card transactions every year fall under service provider level 2.

Meet The Stringent Requirements Regardless of Your PCI DSS Level With The Right Tool

No matter — if you’re a PCI DSS merchant, a service provider, or fall under any PCI DSS levels, the bottom line is clear: all are bound to comply with PCI DSS compliance. Why? At the end of the day, one who deals with CHD (directly or indirectly) is obligated to adhere to compliance – it is a must! And you have to meet stringent requirements set forth by PCI DSS, such as —  performing annual external audits to get RoC, self-assessment to fill out SAQ, vulnerability scan, penetration test, and more.

However, outsourcing external auditors/experts (when not necessary) to perform multiple assessments or manually performing them will be a costly and time-consuming headache—plus, the risk of errors will only add to the stress!

Also, let’s not forget that PCI certification is valid for just a year. You have to perform most of the assessments again and again (after each year is completed). So, if you rely on external experts to perform assessments every time, the recurring costs will quickly pile up, putting a strain on your budget.

Instead, you can opt for a subscription-based access review automation tool like Zluri. Such a solution will not only be a viable investment for the long run but will also streamline your assessment processes with the least manual intervention. How?

Zluri offers an advanced access review solution that automates your audit/assessment process with just a few clicks. Here’s how it works. 

Your team needs to detail a few actions that will be performed by Zluri during the review, such as – specifying the apps (apps that hold CHD) that need to be reviewed, user type, and actions that need to be performed when anomalies are detected. Once all the details are specified, Zluri automatically conducts a thorough review of the app and users who have access to it. If any anomalies are detected, they are auto-remediated without needing any manual intervention. Finally, it generates a detailed UAR report outlining its actions to ensure only authorized users hold access to the app that stores CHD. The best part is that you can review the report, fill out a self-assessment questionnaire (SAQ), and directly submit the SAQ to the PCI DSS Security Standard Council (PCI DSS SSC) to attain compliance certification.

To learn more about how Zluri conducts reviews, you can quickly go through this access review tour.

https://www.zluri.com/access-reviews/salesforce 

Also Read: 3 Ways User Access Review Helps Comply With PCI DSS

Frequently Asked Questions (FAQs)

1. What Is The Difference Between the PCI DSS Self Assessment Questionnaire (SAQ) and the Report On Compliance (RoC)?

SAQ is an official document filled out by the organization's internal staff after an internal assessment (in this case, the internal security assessor performs an audit). RoC is a piece of an official report that a third-party qualified security assessor fills out after an on-site audit. Also, small and mid-level merchants/organizations generally submit annual self-assessment questionnaire forms. Meanwhile, annual reports on compliance are solely submitted by large merchants/organizations.

2. What Happens If You Choose Not To Comply With Mandatory Requirements Set For PCI DSS Levels?

If you decide not to comply with the requirements set for PCI DSS levels, then you will have to pay hefty non-compliance penalties. For instance, if your organization falls in the PCI DSS merchant level 1 category, you will have to pay between $10,000 to $100,000 for non-compliance. Or, if your organization comes under PCI DSS merchant level 2, then you will have to pay between $5,000 to $50,000 for non-compliance. Not that the penalty charges will vary depending on how long you have stayed non-compliant.