A guide to the 4 PCI DSS compliance levels

The PCI DSS (Payment Card Industry Data Security Standard) contains a set of requirements to help organisations prevent payment card fraud.

But did you know that the same requirements don’t apply universally? In fact, there are four PCI compliance levels, which are determined by the number of transactions the organisation handles each year.

  • Level 1: Merchants that process over 6 million card transactions annually.
  • Level 2: Merchants that process 1 to 6 million transactions annually.
  • Level 3: Merchants that process 20,000 to 1 million transactions annually.
  • Level 4: Merchants that process fewer than 20,000 transactions annually.

Let’s take a look at how those levels affect the way you approach PCI DSS compliance.


PCI DSS compliance

All organisations within the PCI DSS’s scope must complete an assessment (the specifics vary based on your level), a quarterly network scan and the Attestation of Compliance Form.

For Level 1 organisations, the assessment should consist of an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They’ll perform an on-site evaluation of your organisation to:

  • Validate the scope of the assessment;
  • Review your documentation and technical information;
  • Determine whether the PCI DSS’s requirements are being met;
  • Provide support and guidance during the compliance process; and
  • Evaluate compensating controls.

The auditor will then submit an RoC (Report on Compliance) to the organisation’s acquiring banks to demonstrate its compliance.

Organisations in PCI Levels 2-4 can complete an SAQ (self-assessment questionnaire) instead of an external audit. Level 2 organisations must also complete an RoC.


Self-assessment questionnaire

There are several different types of SAQ that apply depending on your compliance level and the way you process payment card information:

  • SAQ A: For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
  • SAQ A-EP: For e-commerce merchants that outsource their payment processing but not the administration of the website that links to it.
  • SAQ B: For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
  • SAQ B-IP: For merchants that don’t store cardholder data in electronic form but use IP-connected point-of-interaction devices. These merchants may handle either card-present or card-not-present transactions.
  • SAQ C-VT: For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
  • SAQ C: For merchants with payment application systems connected to the Internet (no electronic cardholder data storage).
  • SAQ D: For all other merchants not included in SAQ types A–C.
  • SAQ P2PE: For merchants that use point-to-point encryption. It’s therefore not applicable to organisations that deal in e-commerce.

It’s essential that you select the right SAQ, because each one has compliance requirements based on the ways payment card data is processed.

If you’re assessing yourself against an inaccurate set of requirements, you are doing more than simply failing a bureaucratic aspect of the PCI DSS; you’re wasting resources meeting objectives that don’t apply.

Our experts are happy to speak with you if you’re unsure which SAQ you’re eligible for. We’re a CREST-accredited provider of PCI DSS services, and our team has extensive experience helping organisations comply with the Standard.


PCI DSS training

Get to grips with PCI DSS compliance by taking our PCI DSS Foundation Training Course.

This one-day introduction to the Standard provides a comprehensive overview of the fundamentals of PCI DSS compliance, and delivers practical guidance on how it applies to your organisation.

You’ll learn:

  • How to implement the PCI DSS’s requirements;
  • How to determine your organisation’s level of compliance;
  • Which controls your organisation must implement; and
  • How to complete the process for reporting compliance, whether it’s a self-assessment or an audit.

Those looking for more in-depth guidance might prefer our PCI DSS Implementation Training Course.

Over three days, you’ll receive expert advice on how to apply the Standard’s requirements to your organisation. We’ll show you how to complete the PCI DSS assessment, test procedures and reporting requirements and learn the difference between each SAQ.

You’ll also gain insight into the QSA’s perspective on scoping, gap analysis, remediation and audit issues and the effects of new technology on PCI DSS compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.