PCI Compliance Levels: How To Determine What Level You Are

Are you considering taking credit cards as a form of payment? Are you already taking credit cards and have experienced substantial growth in your annual volume?  What are your responsibilities as a Merchant or Service Provider? Hold on to your seat as it’s a fun process that needs to be completed annually!

Merchants

Fortunately, the PCI Security Council, and the 5 card brands (Visa, MasterCard, American Express, Discover, and JCB) have outlined in detail what is expected of merchants. A merchant is defined as someone that stores, processes and transmits credit or debit card information and has a merchant ID. Each merchant is categorized as a “level”, based on the number of transactions they process in a year, outlined as follows:

• Level 1 ( > 6 million transactions)
• Level 2 ( 1 million to 6 million transactions)
• Level 3 ( 20k to 1 million transactions)
• Level 4 (< 20k transactions)

Determining merchant level often raises questions. The credit card brands recommend that merchants contact their acquiring bank and with the bank’s assistance, merchants complete the following steps:

• Determine merchant level using transaction volume from the most recent 52-week period.
• Confirm necessary PCI validation requirements. 
• Engage an approved vendor, as appropriate, and follow the validation procedures.
• Once a merchant had been verified as compliant, the merchant must submit the validation requirements to its acquiring bank, which then will report the merchant’s compliance status to the brands.

Service Providers

So if you don’t have a merchant ID nor are you using a payment brand……What’s in store for you? The following is the PCI Security Standards Council (SSC) definition of a service provider:

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.

As with merchants, there are two levels of Service Providers, based on the volume of transactions that are processed:

• Level 1 (More than 300k transactions annually)
• Level 2 (Less than 300k transactions annually)

With that being said, if your organization operates as a service provider, no matter which level you are considered, you may want to consider the business value of completing a PCI Level 1 Audit, also known as a PCI ROC (Report on Compliance). This process must be completed by utilizing a Qualified Security Assessor (QSA), such as Compass, that will validate your organization’s PCI compliance status and if you have met all the requirements to be PCI Compliant, will issue you an Attestation of Compliance (AOC) that you can provide to interested parties looking to verify your PCI Compliance status. For Service Providers that fall under the threshold of processing 300k transactions, you can complete SAQ-D (the only SAQ that Service Providers are allowed to complete by the PCI Security Standards Council).

Now that we have outlined what the various PCI Compliance Levels are, what should we do next? The first thing to do is to figure out what level you are today and then start tackling the process! It works out better when you include your friends from Finance, IT and the business lines involved with the credit card process as PCI Compliance is not just an IT issue, it is a business issue. Plus, they will appreciate being included and enjoy the team building experience!

Need help navigating the complex world of PCI Compliance? Contact us with any questions that you have and be sure to download our PCI Compliance datasheet for more information on how Compass can assist your organization on the quest to become PCI Compliant!