PCI DSS – A Beginner’s Guide to Levels and Requirements

Corona-induced pandemic has accelerated the rate of adoption for varied industries. E-commerce, Fintech, SaaS platforms, and cloud storage are among the industries that are growing at a commendable pace. The arc in the adoption curve has got hackers attentive too. Online services mean online payment, the involvement of credit, debit, and prepaid cards. Any organization that is offering paid or subscription services is expected to store card details and process them on monthly basis.

Since organizations are storing and processing this highly potent customer information, they are required to fulfill the 12 requirements of PCI DSS Compliance. Our comprehensive PCI DSS guide covers everything organizations need to do when preparing for this compliance. 

Businesses of all Sizes are Expected to Furnish the Same PCI DSS Requirements?

Well, it would be unfair to have the same norms applicable to small businesses that are cash negative as well as for organizations with billions in cash. PCI Council which includes industry leaders like VISA, MasterCard, and America Express have established levels based on the:

• Volume of transactions
• Size of the customer base
• Value of transactions processed annually
• Expansion plans

By creating levels, PCI Council has leveled the ground and offered businesses of all sizes to have a positive outlook and cater to customers with confidence. Some of the underlying benefits of these levels are:

• Even new and small organizations can gain customer confidence
• Customers can use their cards on small players’ websites with confidence
• Helps small businesses avoid fines
• Allows bigger organizations to ensure all card details are safe and secure

Important Link: Top PCI QSA Company in India

How many Levels does PCI DSS Compliance have?

Cybersecurity experts and veterans are now looking at PCI DSS as compliance that covers everything. The 12 requirements of compliance are so wide and include almost every step that confiscates internal attempts of hacking and restricts external attacks. 

Industry veterans cite that furnishing PCI Compliance helps them cover requirements of varied compliances like GDPR and a few compliances from the ISO family. PCI has added another feather to its cap by creating levels that cater to businesses of varied sizes.

Reasons why PCI DSS Compliance is so helpful in cybersecurity:

• It restricts unwanted movements near data servers
• Ensures all information sent over a network are encrypted
• Ensures all encrypted information comes with a key
• Maintains a register of everyone who accesses data servers
• Facilitates regular audits, which renders all internal attempts useless

Payment Card Industry Data Security Standard Compliance has Four Levels named:

• Level 1
• Level 2
• Level 3 
• Level 4

The four levels are defined on the basis of the number of transactions processed annually:

• Level 1: Organizations that process over 6 million transactions in a calendar year.
• Level 2: Companies that process transactions between 1 million to 6 million annually.
• Level 3: Merchants that handle 20,000 to 1 million transactions in a calendar year.
• Level 4: Applicable to organizations handling less than 20,000 transactions annually.

What are the Requirements of Varied PCI DSS Levels?

As mentioned earlier, PCI DSS compliance has multiple levels to ensure businesses of all sizes are able to furnish the requirement and function under a safety blanket. Every level comes with its own set of requirements that needs to be furnished quarterly as well as annually. The requirements vary from level to level on the basis of the volume of transactions processed by organizations.

Organizations with smaller transaction volumes need to have lesser norms in place because they are less vulnerable and any failure will impact only a limited number of customers whereas mishaps with bigger organizations can impact millions of people instantly. When bigger organizations are caught in a web of digital disasters like DDoS attacks or ransomware attacks, the global economy suffers and huge losses incurred on the private as well as government part hence all these Levels and their unique requirements.

 Level 1

• Meant for merchants/online stores that process transactions over 6 million in a year. We are talking about 6 million transactions and not transactions worth $6 million.
• Level 1 certified merchants need to conduct and document network scans on a quarterly basis.
• These entities must get their annual compliance audit done by a Qualified Security Assessor.

 Level 2

• Any merchant or online store that processes transactions between 1-6 million annually needs to get Level 2 compliance.
• The merchant must conduct and furnish a self-assessment questionnaire on a yearly basis.
• Alike Level 1 merchants, Level 2 merchants are also required to conduct and document network scans on a quarterly basis.

 Level 3

• Applies on the merchant who processes transactions between 20,000 to 1 million in a calendar year.
• The merchants are required to conduct and furnish a self-assessment questionnaire.
• Similar to Level 1 and 2 merchants, Level 3 merchants are also bound to conduct and document network scans on a quarterly basis

Level 4

Organizations that fall under the Level 4 category need to follow requirements provided by their local bank. Discover, VISA and American Express do not have any such requirement for Level 4 organizations. In other words, only a handful of banks provided Level 4 support. 

Here are the requirements for Level 4:

• Complete annual self-assessment and submit it to local banks
• Conduct quarterly network scans
• Submit a report to authorities and obtain Approved Scanning Vendor (ASV)

Unlike the other levels of PCI DSS, Level 4 organizations are not required to:

• Have a PCI QSA assisting them
• Annual renewal of certification
• No professional quarterly audit is required
• Not able to process all cards 

Final Thoughts

The attacks are continuously increasing, the best way of avoiding these attacks is to be aware of the challenges. By putting your organization through the pain of PCI DSS certification, you are saving customers from the pain, which directly impacts your brand reputation.

PCI DSS compliance ensures all transactions are safe and processed with a key that is only available for legit stakeholders. The varied levels are designed to help businesses of all sizes enjoy the benefit of working under a safer blanket.