Levels of PCI Compliance
Do you know what level your business falls under to meet PCI compliance? While the 12 PCI compliant requirements are dictated by the PCI Security Standards Council (PCI SSC), compliance is enforced by the credit card issuer companies, including Visa, MasterCard, American Express, Discover and JCB International.
These are the four levels of PCI compliance as mandated by the card issuers Visa and Mastercard, with definitions according to the volume of credit card transactions per year:
- PCI Compliance Level 1
Over 6 million Visa and/or Mastercard transactions processed per year
- PCI Compliance Level 2
1 million to 6 million Visa and/or Mastercard transactions processed per year
- PCI Compliance Level 3
20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year
- PCI Compliance Level 4
Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year
What do these levels of PCI compliance mean?
Companies that meet Level 1 must have yearly on-site reviews by an internal auditor and a required network scan by an approved scanning vendor. A full list of approved scanning vendors (ASV) and contact information is available online from the PCI Security Standards Council.
Any companies that meet PCI compliance Levels 2, 3 or 4 must complete the PCI DSS Self Assessment Questionnaire annually and undergo quarterly network security scans with an approved scanning vendor.
What happens if you breach a PCI compliance level requirement?
Visa makes your life a bit harder by reserving the right to change your level standards to a stricter level, regardless of the number of transactions processed per year. For example, if you are classified as meeting Level 4 compliance, you must now abide by Level 1 requirements.
Working with a PCI compliant hosting provider can help you understand where your company currently stands and how to meet PCI compliant level requirements.