Each party involved in the processing, storage or transmission of cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS) administered by the Payment Card Industry Security Standards Council. payment card industry. It provides merchants with a comprehensive framework to effectively identify and address payment card data security risks. The standard makes merchants responsible for securing their trading environment as well as trade policies (or lack thereof) and any actions that may result in a data breach.
Although the PCI Council does not audit all companies for PCI compliance, non-compliance can result in serious consequences. If a data breach occurs and the company is found to have failed to comply with the regulations at the time, it will face heavy fines and reputational damage.
What is PCI DSS?
PCI DSS is a set of requirements defined to ensure that all organizations processing credit card data provide a secure environment. PCI DSS became effective on September 7, 2006. It is managed by the PCI Security Standards Council (PCI SSC), an independent organization founded by MasterCard, Visa, American Express, Discover and JCB.
PCI compliance levels
They are four PCI compliance levels based on annual merchant card transaction volumes
- Level 1: more than 6 million transactions per year
- Level 2: 1M to 6M transactions per year
- Level 3: 20,000 to 1 million transactions per year
- Level 4: less than 20,000 transactions per year
Additionally, if a merchant experiences a breach that results in compromised account data, their business can be taken to a higher level of compliance. Merchants can identify their level of PCI compliance and ensure compliance by partnering with PCI Compliance Providers.
PCI Level 1
Level 1 PCI compliance applies to businesses processing more than 6 million card transactions per year. While other levels only require completion of a Self-Assessment Questionnaire (SAQ), Level 1 PCI Compliance requires annual reports prepared by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). ). Merchants who have suffered a data breach that compromises their payment card data are also subject to external audit, even if they are not Tier 1 merchants.
Next, Tier 1 companies must have quarterly scans of their networks performed by an approved vendor, including servers, computers, cloud, etc. In addition, they must have a penetration test (also called a penetration test) performed at least once a year. . This is a simulated cyberattack aimed at checking your systems for exploitable vulnerabilities.
For the Level 1 PCI audit, you will need to provide an Attestation of Compliance (AOC) form indicating that you have complied with the PCI DSS requirements.
PCI level 2
You are a PCI Level 2 merchant if you process between 1 million and 6 million credit card transactions per year. Businesses classified as Level 2 PCI Merchants are not subject to any audit unless they suffer a data breach or your acquiring bank deems it necessary.
Tier 2 merchants must complete a self-assessment questionnaire, have their networks analyzed quarterly by an approved vendor, and complete an Attestation of Compliance (AOC). Additionally, Level 2 PCI merchants are required to do an annual penetration test. However, keep in mind that service providers are subject to semi-annual penetration testing (PCI Requirement 220.127.116.11).
PCI Level 3
Merchants processing between 20,000 and 1 million transactions per year belong to Level 3 PCI compliance. As with Level 2 merchants, to remain PCI Level 3 compliant, you must complete an SAQ, perform network scans quarterly, and submit an Attestation of Compliance form. However, this level does not require penetration testing.
PCI Level 4
This level of PCI compliance applies to any merchant processing fewer than 20,000 e-commerce transactions per year and to all other merchants, regardless of acceptance channel, processing up to 1 million Visa transactions per year. Level 4 PCI merchants are not required to perform audits, submit ROC, and may not even need AOC forms. Tier 4 organizations are only required to complete an annual Self-Assessment Questionnaire (SAQ) and perform quarterly network scans.
What is the SAQ?
A PCI SAQ, or Self-Assessment Questionnaire, is a merchant’s declaration of PCI compliance, validating that the merchant is taking the necessary steps to secure cardholder data.
Completing a PCI self-assessment questionnaire is part of the compliance process. This involves answering several yes/no questions regarding PCI DSS requirements. There are different types of SAQ. The type you need to submit depends on your level and how you process payment card data.
- SAQ A — for organizations that fully outsource their card data processing to third parties, including e-commerce transactions and mail/telephone order merchants.
- SAQ A-EP — for e-commerce merchants who only outsource their payment processing.
- SAQ B – for e-commerce businesses that do not obtain cardholder data but control how it is passed to third-party payment processors.
- SAQ B-IP — for merchants not storing payment card data electronically but using IP-connected point-of-interaction devices.
- SAQ C-VT — for organizations that process cardholder data through a virtual payment terminal rather than an IT system.
- SAQ C — for those with Internet-connected payment processing systems.
- SAQ D — for merchants not covered by SAQ types A to C.
- SAQ P2PE — for organizations applying point-to-point encryption, not applicable to e-commerce merchants.
No matter what level of PCI compliance your organization is at or what type of merchant you are, staying PCI compliant should be one of your top priorities. Secure systems translate to greater customer trust and improve your reputation with payment brands. More importantly, PCI compliance helps prevent data breaches and strengthens corporate security policies.