Understanding Levels of PCI DSS Compliance
With our Ultimate Guide to PCI DSS Cloud Hosting we delve into the significance of protecting your client data and why it’s critical for businesses to be PCI DSS certified.
But how rigorous is the certification process? If you’re a small to medium sized business do you have to meet as many requirements and jump through as many hoops as a large enterprise? The answer is yes and no.
There are many benefits to partnering with a PCI DSS cloud hosting provider like Complior. In our latest post, we outline the 5 Benefits of Outsourcing including costs, staying up-to-date and scalability. Understanding what the PCI DSS certification process entails is outlined in this post below to help you grasp what’s in store as your company works to become PCI DSS compliant.
PCI DSS Requirements*:
PCI DSS outlines technical and operational requirements for those who in any way store, process and/or transmit payment card data. PCI DSS has 12 main requirements and over 300 sub-requirements. The standard is ever-developing to reflect the payment industry, and updated versions are released regularly.
The PCI DSS requirements are related to the technology, people and processes surrounding payment card data. This is to ensure a high level of security for everything involved in the process of handling payment card data.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
PCI DSS Levels:
The first thing you need to know is that the PCI DSS certification process can be very different between businesses. This is dependent on how many transactions a company processes per year. Below we have outlined the different levels of PCI DSS compliance for merchants and service providers so you can get an understanding based on how many transactions your business currently processes annually.
Merchant provider levels of PCI Compliance:
Level 1 | 6 million or more Visa and/or MasterCard transactions processed per year. |
Level 2 | 1-6 million Visa and/or MasterCard transactions processed per year. |
Level 3 | 20,000 to 1 million Visa and/or MasterCard e-commerce transactions processed per year. |
Level 4 | Fewer than 20,000 online transactions a year or up to 1 million regular transactions per year. |
Service provider levels of PCI compliance:
Level 1 | Store, process, or transmit more than 300,000 credit card transactions annually. |
Level 2 | Store, process, or transmit less than 300,000 credit card transactions annually. |
Note that a service provider is directly involved in the payment process as a third party. Service providers store and/or transmit payment data on behalf of other companies. Some examples are hosting providers and managed service providers.
PCI DSS Certification:
The PCI compliance levels are used to determine the amount of assessment and security validation required for the merchant or service provider to obtain a PCI DSS certification.
Based on the type of provider your business is and the number of annual transactions there are, this is what is expected during the certification process for each level.
Merchant Providers: | Service Providers: | |
Level 1 | 1. Undergo annual on-site security assessments. 2. Undergo quarterly network scans by an ASV. 3. Submit an annual report on compliance (ROC) written by a QSA (Quality Security Assessor). | 1. Undergo annual on-site security assessments. 2. Undergo quarterly network scans by an ASV. 3.Submit an annual report on compliance (ROC) written by a QSA (Quality Security Assessor). 4. Undergo penetration tests.Undergo internal scans. 5. Submit an Attestation of Compliance Form (AOC). |
Level 2 | 1. Fill applicable Self Assessment Questionnaires (SAQ) annually. 2. Undergo quarterly network scans by an ASV. | 1. Fill out the Self Assessment Questionnaire D (SAQ) annually. 2. Undergo quarterly network scans by an ASV. 3. Undergo penetration tests. 4. Undergo internal scans. 5. Submit an Attestation of Compliance Form (AOC). |
Level 3 | 1. Fill applicable Self Assessment Questionnaires (SAQ) annually. 2. Undergo quarterly network scans by an ASV. | |
Level 4 | 1. Fill applicable Self Assessment Questionnaires (SAQ) annually. 2. Undergo quarterly network scans by an ASV. |
It’s worthwhile mentioning that since Level 1 companies process the most transactions per year, it is natural that these companies also have to fulfill the strictest PCI requirements on security.
Armed with this basic understanding of what PCI DSS is all about, the level of detail and significance it plays in the role of business today and how prudent it is to ensure you comply, are you ready to simplify your life and trust the certification process to PCI DSS experts? Contact us for a free consultation and get started right away.
*https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Read previous posts:
Should you outsource?
Are you protecting your client data securely enough? Understanding PCI Levels