06-04-13 | Blog Post

Clarifying Levels of PCI Compliance

Blog Posts

So, you either transmit, store, or process credit cardholder data for your business. You already know that means you need to be compliant with the 12 Payment Card Industry Data Security Standards (PCI DSS).

However, based on the number of transactions your company processes per year, there are specific levels of PCI compliance that need to be met. As a first step towards compliance, it’s important to know where your company falls on that spectrum, and how that can change the way you reach those requirements.

There are four levels of PCI compliance (these are mandated by Visa and Mastercard):

  • PCI Compliance Level 1 – Over 6 million Visa and/or Mastercard transactions processed per year
  • PCI Compliance Level 2 – 1 million to 6 million Visa and/or Mastercard transactions processed per year
  • PCI Compliance Level 3 – 20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year
  • PCI Compliance Level 4 – Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year

Keep in mind also that if you have a breach, it is possible that the card issuer can change your necessary compliance level. For example, you may only process 20,000 transactions in a year, which would put you at compliance level 3, but after a data breach Visa can determine that you now need to meet level 1 requirements.

What’s the difference between these levels? If your company is large enough to need level 1 compliance, you must get an independent approved scanning vendor (ASV) to come and audit your system and processes. If you are any of the lower levels, you won’t have to get an independent auditor, and instead can complete a PCI DSS Self-Assessment Questionnaire annually.

There are many different Self-Assessment Questionnaires (SAQ) available as well, so you want to make sure you’re using the right one, based on your business:

  • A – This questionnaire is for e-commerce, mail, or telephone order merchants that do not store cardholder data, and outsource any cardholder data functions.
  • B – Merchants who use an imprint machine to copy cardholder data fall into this category. Standalone, dial-out terminal merchants would fill out this questionnaire as well.
  • C-VT – This is for web-based virtual terminal merchants that do not store any electric cardholder data.
  • C – If you are a merchant that uses a payment application system connected to the internet and you aren’t collecting cardholder data, this SAQ is for you. If you’re using a software vendor for the payment application system, you’re going to have to ensure the app is compliant.
  • D – This is the catchall. If your business doesn’t seem to fit in any of those categories, you’ll want to fill out SAQ D.

With this and the PCI DSS in-hand, you’ve got the information you need to start working on those standards.

Want a little more information on PCI compliance? Download our PCI Compliant Hosting white paper, and we can give you a complete resource for outsourced PCI hosting.

Internet Retailer Conference & Exhibition (IRCE) 2013
Online Tech is exhibiting PCI hosting solutions at the IRCE 2013 conference in Chicago from June 4-7 at the McCormick Place West at booth #108!

Known as the world’s largest e-commerce event, the IRCE conference draws 9,500 e-retailing executives from more than 40 countries. The extensive agenda includes 220 speakers, 120 sessions and 6 workshops covering e-retail topics.

Other Resources:
Who Needs PCI Compliance, exactly?
PCI Report On Compliance
PCI Compliant Tips: Working With a Hosting Provider

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved