With $49.32 billion predicted to be lost as a result of credit card fraud globally by 2030, the security of credit card transactions is ever at issue, and increasingly so.

As the processing of a credit card transaction always involves several parties, it is essential for the credit card industry to employ and practice an end-to-end approach to eliminating any possible vulnerabilities and security gaps. One of the main tools in achieving this goal is the Payment Card Industry Data Security Standard (PCI DSS). This set of requirements came into being back in 2004 as an initiative by 5 major credit card issuers (Visa, Mastercard, American Express, JSB, and Discover) and has since become a prevailing compliance standard for all businesses involved in credit card transactions worldwide.  

We’ll examine the compliance levels PCI DSS defines, as well as some of the differences in the ways the different card issuers interpret them. Our goal is to help you establish a compliant and robust process of handling credit card transactions in accordance with the vendor-specific requirements relevant in your case.

What Is the PCI DSS Standard?

In essence, PCI DSS represents an array of policies and related procedures, all of which are intended to help achieve one major goal: maximize the security of card transactions throughout their lifecycle by preventing cardholder information from being used by malicious actors. Notably, it deals not only with credit card transactions, but also with those involving debit cards and cash cards. The PCI DSS requirements describe how such cards are to be processed securely, i.e. how the credit card information is to be collected, transmitted, and stored. Besides, they detail some the best practices to ensure financial data security

Despite being widely accepted, PCI DSS is not a legal requirement in any of the geographies where it is used. Simultaneously, the virtually universal use of PCI DSS and its inclusion in legal agreements by the vast majority of credit card market players makes it rather unavoidable for card-processing businesses to comply with the PCI DSS requirements.

To outline and help create a secure card-processing environment, PCI DSS defines:

  • 6 main principles around which PCI DSS compliance is centered. 
  • 12 requirements business organizations need to meet to ensure the security of their card processing. 
  • 4 levels of PCI DSS compliance for merchants, defined and applied in accordance with the yearly volume of transactions a business handles.  
  • Self-Assessment guidelines merchants and service providers can use to self-evaluate the level of their correspondence to the PCI DSS requirements. 
  • The best practices that help achieve PCI DSS compliance.

Although the norms of PCI DSS are universal for all the participating credit card brands, each of these brands has a separate PCI DSS compliance enforcement program. The latter accounts for some differences in the ways they interpret the merchant compliance levels and related compliance requirements.

Make sure your business meets the important requirements with our PCI DSS compliance checklist!

The Levels of PCI DSS Compliance for Merchants

Overall, PCI DSS stipulates that there are a total of 4 merchant compliance levels used in evaluating the level of a merchant’s compliance with this standard. Such a PCI DSS level definition is supported by all the participating credit card brands.

However, there are some must-know differences in the way the different card issuers construe the PCI DSS levels of compliance. 

PCI DSS Compliance Levels

For example, as far as VISA is concerned, the 4 main compliance levels are applicable to merchants only, whereas there are 2 other PCI DSS transaction levels that are applicable to service providers.

As to American Express, there are differences in the transaction volumes that define the compliance levels. Some of the levels (3,4) are applicable to merchants only. The documentation package for all the 4 levels may include American Express STEP Attestation.  

In the case of Mastercard, there are differences in both the transaction volumes and the compliance requirements to be met. Only Level 1 compliance requires an annual PCI DSS assessment by a QSA or ISA that results in a Report of Compliance. For the rest of the levels, only a SAQ is required, but there are some additional requirements or alternative means of achieving the corresponding compliance at the different levels.   

Now let’s look at the PCI DSS levels of compliance in more detail – for reviewing purposes, we’ll use VISA as the baseline for the analysis and comparison and try to reflect some of the differences with the two other major card brands – Mastercard and American Express.

This is not meant as an exhaustive analysis; rather, our overview is meant to call your attention to the types of differences that we have noticed. However, as you come to grips with the sort of PCI DSS compliance your business needs, you must necessarily make a more thorough study of the original corresponding requirements, their details, and related specifics, especially because this information can change over time. 

Level 1 

Level 1 of PCI DSS merchant compliance is applied to businesses that process more than 6 million transactions per year. At the same time, the transaction volume of American Express for this level is 2.5 million or more American Express Card transactions. Mastercard can include any merchant that they, in their sole discretion, can consider as one that should undergo Level 1 compliance.

In order to achieve this level of compliance, merchants must:

  • Submit a report of compliance (ROC), composed by an external party that is entitled to act as a Qualified Security Assessor (QSA), or by an Internal Security Assessor (ISA). The ROC composed by an ISA must be signed by an officer of the company.  As an example, an ISA can be an employee of the company, working in touch with some external auditors.
  • Submit an Attestation of Compliance (AOC) form that states the company has fulfilled all the corresponding compliance requirements. 
  • Undergo a vulnerability scan of the company’s network by an Authorized Scanning  Vendor (ASV) on a quarterly basis.
  • Perform penetration testing of the company’s infrastructure on a yearly basis.

Level 2

Level 2 of PCI DSS merchant compliance is associated with card-processing businesses that process from 1 to 6 million transactions per year. More specifically, it deals with 1-6 million transactions for Mastercard, Visa, and Discover, from 50 000 to 2.5 million for American Express, and less than 1 million for JSB.

To achieve this level of compliance, merchants must: 

  • Complete and submit a Self-Assessment Questionnaire (SAQ).
  • Submit an Attestation of Compliance (AOC) form that states the company has fulfilled all the corresponding compliance requirements. 
  • Undergo a vulnerability scan of the company’s network by an Authorized Scanning  Vendor (ASV) on a quarterly basis.
  • Perform penetration testing of the company’s infrastructure on a yearly basis.

For Mastercard, only a SAQ is required when it deals with PCI DSS levels 2-4. However, there are several additional requirements and options here with regards to these levels. For example, for Level 2, merchants that complete SAQ A, SAQ A-EP or SAQ D must also engage a PCI SSC-approved QSA or PCI SSC-certified ISA for compliance validation. When handling Mastercard-related PCI DSS compliance, make sure the original additional requirements and alternatives.

Level 3 

Level 3 of PCI DSS merchant compliance is associated with businesses that process from 20000 to 1 million transactions per year.  The transaction volume of American Express for this level is from 10000 to 50000 American Express Card transactions. With American Express, the level is applicable to merchants only.  For Mastercard, in turn, the set transaction volume is for a combined total of Mastercard and eCommerce Mastro transactions. 

To achieve this level of compliance, merchants must:

  • Complete and submit a Self-Assessment Questionnaire (SAQ).
  • Submit an Attestation of Compliance (AOC) form that states the company has fulfilled all the corresponding compliance requirements. 
  • Undergo a vulnerability scan of the company’s network by an Authorized Scanning  Vendor (ASV) on a quarterly basis.

For Mastercard, only a SAQ is required.  Unlike with Levels 1 and 2, Level 3 and Level 4 of PCI DSS compliance stipulate no requirement for mandatory penetration testing. Please note, that mandatory according to PCI DSS 4.0, penetration testing should not be mixed up with vulnerability network scans.

Andrii Semitkin: Delivery Director at SPD Technology

Andrii Semitkin

Delivery Director at SPD Technology

“PCI DSS compliance is not a mere formality, it’s a tool called to prevent unwanted scenarios. In this sense, penetration testing is an awesome approach that allows you to unearth real vulnerabilities, check whether the safeguards you have in place protect you 24/7 without any dodgy downtimes, and gauge how well these safeguards can actually respond to various threats.”

Level 4

Level 4 of PCI DSS merchant compliance is for merchants that process less than 20000 transactions per year. The transaction volume of American Express for Level 4 is less than 10000 American Express Card transactions. With American Express, the level is applicable to merchants only.  For Mastercard, this level is applicable to any merchants other than those that fall under the other 3 levels.

To achieve this level of compliance, merchants must:

  • Complete and submit a Self-Assessment Questionnaire (SAQ), or comply with some alternative validation requirements set by the acquirer. 
  • Undergo a vulnerability scan of the company’s network by an Authorized Scanning  Vendor (ASV) on a quarterly basis.
  • Submit an Attestation of Compliance (AOC) form that states the company has fulfilled all the corresponding compliance requirements. 

Notably, compliance with Level 4 of PCI DSS also requires that the company has not fallen victim to a successful cyber attack or suffered a data breach.

Please note, that the application of some of the different PCI DSS merchant compliance levels may differ for those companies that have not suffered a data breach or successful cyber attack and those that have. For example, the former may be subjected to Level 1 compliance even if their volume of transactions is lower than that envisaged by this compliance level. 

In the case of Level 2 compliance, a business that has suffered a data breach or successful cyber attack may be requested to undergo an on-site audit or compose and submit an annual report.

A Self-Assessment Questionnaire (SAQ) and How to Deal with It

As we can see from the sets of procedures to be completed for the different PCI DSS levels, Self-Assessment Questionnaires are an integral part of the PCI DSS compliance that merchants handle on their own. Because of this, we’d like to say a few words about how exactly they should approach this part of PCI DSS compliance. 

So far, the Payment Card Industry Security Standards Council has introduced 9 types of SAQ. Each of these SAQ types comprises 12 sections, each devoted to one of the 12 PCI DSS requirements. In turn, each of these 12 sections contain 6 control objectives. 

To complete the assessment, one needs to answer sets of yes-or-no questions. The expected testing column of a SAQ describes the testing activities that allow one to establish whether a merchant is compliant with the corresponding requirement.

The types of SAQs are as follows:

SAQ types PCI DSS

How to Approach a Self-Assessment Questionnaire

To begin the SAQ completion process, merchants first need to pick the SAQ type that is intended for, and corresponds to the nature of their business as a merchant, for example, SAQ A or SAQ C. Next, they need to obtain the required forms from the website of the Payment Card Industry Security Standards Council.

As the next step, it makes sense to first get familiar with the requirements your SAQ contains and collect or additionally obtain any relevant evidence of compliance with these requirements. Such evidence can be diverse: security policies, descriptions of the implemented security procedures, network diagrams, penetration test results, and any other relevant document assets.     

After this, one should answer the questions the SAQ contains in good faith. In answering the questions, one should provide a description of any relevant compensating controls that they have in place. Lasly, one should identify those areas where your business falls short of the PCI DSS requirements and come up with measures to stop any existing gaps.

VISA and Mastercard PCI DSS Compliance Levels for Service Providers

The PCI DSS compliance validation levels for service providers (or any organization that processes, transmits and stores card-related information, usually on behalf of a banking institution, merchant, or another service provider) may be different from those for merchants. For example, they are as follows for Visa.

Level 1 

Level 1 of PCI DSS service provider compliance is associated with VISA.Net Processors or any other service providers that store, process, and/or transmit more than 300000 transactions per year. These service providers must:

  • Submit an annual Report of Compliance done by QSA.
  • Undergo a quarterly vulnerability network scan by an ASV.
  • Submit an Attestation of Compliance (AOC) form.

Level 2 

Level 1 of PCI DSS service provider compliance is associated with any service providers that store, process, and/or transmit less than 300000 transactions per year. These service providers must:

  • Undergo a quarterly vulnerability network scan by an ASV.
  • Submit an Attestation of Compliance (AOC) form.

Similarly, Mastercard has 2 PCI DSS compliance service provider levels with the same transaction volumes and provides a detailed listing of the types of service providers that fall under each of these levels. 

Conclusion 

Understanding of the PCI DSS levels is instrumental in achieving the required compliance related to ensuring data security in Fintech as far as  various card-processing businesses are concerned.

However, it’s also important to realize that PCI DSS compliance is also both a practical boon and a technical challenge one needs to be able to meet with sufficient efficiency. In fact, it may involve dealing with several Fintech development challenges  that take quite a bit of skill to solve.

Disclaimer! The merchant and service provider-related PCI DSS compliance information herein is provided for the purpose of gaining an overall understanding only and does not represent an exhaustive, accurate, or comprehensive analysis of the matter. You must become thoroughly familiar with the corresponding original PCI DSS requirements and card brand-related specifics prior to handling any PCI DSS compliance-related matters.  

FAQ

What do PCI DSS levels mean?

PCI DSS compliance levels are sets of requirements that the various card-processing merchants need to be compliant with in accordance with their transaction volumes.

How are PCI DSS levels defined? 

PCI DSS levels of compliance are defined by the number of transactions merchants handle. While there are 4 PCI DSS levels, this number varies from card brand to card brand.

What are the requirements for different PCI DSS merchant levels? 

The requirements for the different merchant levels (PCI DSS) include the submittal of an annual report, composed by a Qualified Security Assessor (QSA), or by an Internal Security Assessor (ISA), the performance of vulnerability network scan, the completion of a Self-Assessment Questionnaire, and penetration testing.