The Basics of PCI Compliance: Merchant Levels and Requirements

Emily Heaslip
June 29, 2021
The Basics of PCI Compliance: Merchant Levels and RequirementsThe Basics of PCI Compliance: Merchant Levels and Requirements
Emily Heaslip
June 29, 2021
On this page

PCI compliance isn’t just good for customers; it’s also good for business. Merchants that fall short of PCI compliance standards not only put their customer data at risk but also may face hefty fines. The PCI Compliance Guide reports that fines and penalties can range from $5,000 to $100,000 per month for the merchant. And, if you don’t achieve PCI compliance, not only will these fees start to add up quickly, but you’re at risk of being dropped by your credit card merchant.

[Read more: Cloud DLP and Regulatory Compliance: 3 Things You Must Know]

PCI compliance can seem complicated. There are four different levels and 12 different requirements, which all vary to some degree depending on what level you fall under. However, the goal of PCI compliance is to protect customer data from falling into the wrong hands. By implementing common-sense security measures, you can achieve PCI compliance with relative ease.

What is PCI compliance?

PCI DSS stands for Payment Card Industry Data Security Standard. The Payment Card Industry includes major credit card brands like Mastercard, Discover, American Express, and Visa. These credit card providers set security rules for any business that accepts their cards to protect customer credit and debit card data. If your business accepts any non-cash payments, it’s likely you will have to meet PCI DSS standards.

What are the four levels of PCI compliance?

There are four PCI compliance levels. All merchants fall into one of these four levels based on the volume of Visa transactions that the business processes over a 12-month period (including credit, debit, and prepaid sales).

The four PCI compliance levels are:

  • Level 1: Merchants who process more than 6 million transactions per year.
  • Level 2: Merchants who process 1 - 6 million transactions per year.
  • Level 3: Merchants who process 20,000 - 1 million transactions per year.
  • Level 4: Merchants who process fewer than 20,000 transactions per year.

What does this mean in practice? If your business processes fewer than 20,000 eCommerce transactions each year or up to 1 million transactions across all sales channels, your business is considered a Level 4 merchant. This is the most common merchant level, and most small businesses fall under it.

Each level has different PCI compliance requirements, ranging from the least stringent (Level 4 merchants have the lightest burden) to stricter regulations for Level 1 merchants. First, let’s go through the 12 PCI requirements that all merchants are required to meet to some degree.

PCI compliance checklist: what are the requirements?

In addition to the four PCI compliance levels, there are also 12 PCI requirements that you must meet — from having a firewall to regularly testing network security — to ensure you are PCI compliant. These 12 requirements apply whether you are a Level 4 business or a Level 1 business, though the specifics for compliance may vary based on your level.

  1. Install and maintain a firewall to protect cardholder data.
  2. Use unique passwords and other security parameters, never vendor-supplied default passwords or other security parameters.
  3. Use SSL-level encryption if cardholder data is transmitted across networks.
  4. Store cardholder data securely.
  5. Update antivirus and malware protection regularly.
  6. Maintain secure systems and applications.
  7. Restrict access to cardholder data to only users who need it.
  8. Restrict physical access to cardholder data, such as device access.
  9. Require users to log in or authenticate to access system components.
  10. Track and monitor access to network resources and cardholder data.
  11. Test security systems regularly.
  12. Create an information security policy and update it regularly.

These are relatively broad requirements, but they mean that your business must take concrete steps to implement security measures. As you begin to unpack how your business needs to be PCI compliant, start with the requirements listed for your specific level.

What is PCI Level 4 compliance?

PCI Level 4 applies to merchants who process the fewest card transactions each year relative to the rest of the market. In addition to meeting the 12 requirements listed above, Level 4 merchants must complete and file the PCI SSC annual Self-Assessment Questionnaire (SAQ) online on your processor’s website.

The merchant must also pass a vulnerability scan with a PCI SSC-approved scanning vendor. Most merchant account providers are able to do this for you. You must get evidence that you have passed this scan. And, finally, you must submit an Attestation of Compliance within the SAQ.

Your responsibilities: keep your SAQ updated each year, and complete the required security scans.

What is PCI Level 3 compliance?

PCI Level 3 compliance requirements are slightly more stringent than the preceding level, as these merchants are processing a higher volume of credit card transactions. This category is essentially a separate category for larger e-commerce businesses rather than retail-only businesses (which tend to fall under 1, 2, or 4).

Like Level 4 businesses, Level 3 merchants must complete and file the annual SAQ. However, the vulnerability scan must be completed quarterly rather than annually. Merchants also must complete the Attestation of Compliance.

Your responsibilities: keep your SAQ updated each year, and complete the required security scans on a quarterly basis. 

What is PCI Level 2 compliance?

Merchants that process between 1 million and 6 million credit/debit card transactions per year will fall under the Level 2 PCI compliance requirement. This number of transactions includes payments from both retail and e-commerce channels.

Level 2 merchant requirements are essentially the same as Level 3. You must complete and file the annual SAQ. You must also receive clearance of a quarterly vulnerability scan from an approved third-party vendor. And you must complete the Attestation of Compliance.

Your responsibilities: keep your SAQ updated each year, and complete the required security scans on a quarterly basis.

What is PCI Level 1 compliance?

Finally, merchants under PCI Level 1 have the most rigorous standards to meet. These merchants process over 6 million card-based transactions each year.

Note, however, that a merchant of any size will be added to Level 1 if the merchant has suffered an actual data breach that resulted in data compromise.

When you are added to level one, you must file an annual Report on Compliance (ROC) that is issued by the PCI SSC. This report is completed by a Qualified Security Assessor or internal auditor. This process is much more time-consuming than filing the SAQ.

Additionally, like the other levels, Level 1 merchants must pass a quarterly vulnerability scan hosted by a PCI SSC- approved vendor and the Attestation of Compliance.

Your responsibilities: annually file the ROC, and complete the required security scans on a quarterly basis.

It can be challenging to meet all the Level 1 requirements without the budget of a big enterprise. The restrictions placed on Level 1 merchants should incentivize smaller companies to take PCI DSS compliance seriously.

Regardless of what level your business falls under, here are some PCI compliance best practices to implement at your business.

PCI compliance best practices

Let’s go zoom out from the nitty gritty of PCI compliance levels to understand the core best practices you need to protect your business from a data breach.

First, make sure you have strong passwords in place, as well as 2FA or MFA, to control who can access your data. Strong passwords can be automatically generated by password managers to contain random strings of numbers and letters for maximum security.

[Read more: 5 Identity and Access Management Best Practices]

In addition, make sure that your network and all devices on the network should have firewall protection. Not only should your in-store wireless router be password-protected, but any computers or servers used to run your e-commerce site should also be password-protected.

PCI experts also recommend using a modern point of sale (POS) system to maintain security through tokenization and encryption. Tools like Clover, Square, and Shopify are designed to protect data whenever a sale is processed, taking the onus away from the merchant to ensure that aspect of security.

Merchants should not store cardholder information on a local hard drive or on their website server. Similarly, never store physical copies of customers’ credit card data. Avoid asking customers to email or text their credit card information, as these messages are not as secure as payment processing systems — and small businesses are often the target of phishing and malware scams.

Improve your PCI compliance

PCI DSS requires effective management & protection of customer data to keep consumers safe. In addition to basic security measures like encryption, firewalls, user access management, and using a modern POS, consider implementing a cloud data loss prevention tool.

Nightfall can help you first discover and classify sensitive customer data like PII, PHI, and PCI that must be protected. Our platform uses machine learning detectors individually trained to identify a specific type of PII or customer data that is protected by PCI compliance regulations. Next, the platform provides a way to quickly remediate any security issues by notifying admins and quarantining or deleting data. This reduces the risk of losing or exposing sensitive customer data and reinforces your commitment to protecting this information.

Build trust with your clients and customers, and avoid steep penalties by implementing tools to achieve PCI DSS compliance. Learn more about PCI DSS compliance in our security guide. And to get started with Nightfall, schedule a demo at the link below.

Nightfall Mini Logo

Getting started is easy

Start protecting your data with a 5 minute agentless install.

Get a demo