What are the 4 Levels of PCI Compliance?
There are four levels of PCI compliance, each with its own set of requirements. The level you need to achieve depends on the size and complexity of your business, as well as the type of credit card transactions you process.
Level 1 is the most stringent level, and is required by merchants who process over 6 million transactions per year. Level 1 merchants must have a dedicated on-site PCI DSS compliance team, and must complete a comprehensive self-assessment questionnaire (SAQ) each year.
Level 2 is for merchants who process 1 to 6 million transactions per year. They must have an on-site security assessment every two years, and must complete a quarterly SAQ.
Level 3 is for merchants who process 20,000 to 1 million transactions per year. They must have an on-site security assessment every year, and must complete a quarterly SAQ.
Level 4 is the least stringent level, and is for merchants who process less than 20,000 transactions per year. They are not required to have an on-site security assessment, but must complete a quarterly SAQ.
If you're not sure which level your business falls into, or if you have questions about the PCI DSS compliance requirements, contact your payment processor or visit the PCI Council website.
The PCI Security Standards Council is responsible for developing and enforcing the PCI Data Security Standards, which are a set of security policies created to protect customer data. The PCI DSS compliance levels determine which security controls you must have in place and what procedures you must follow when accepting, processing, storing and transmitting credit card information.
In this article, we'll cover the four levels of PCI compliance and provide a brief overview of each. For more information on complying with PCI DSS requirements for each level, see our related articles at the end of this piece.
PCI Compliance Level 1 – The Highest Level of Security Requirement
To achieve compliance with Level 1 of the PCI Data Security Standards, you must have a dedicated on-site PCI DSS compliance team. This team is responsible for completing a comprehensive self-assessment questionnaire (SAQ) each year.
Use approved secure payment applications which undergo rigid security evaluations before being deemed secure enough to process credit card transactions. These apps must be installed and maintained by an approved third-party provider, and they must be kept current with all applicable PCI DSS security patches.
PCI Compliance Level 2 – A Somewhat Relaxed Level of Security Requirement
To achieve compliance with Level 2 of the PCI Data Security Standards, you must have an on-site security assessment every two years. In addition to having an on-site security assessment, Level 2 merchants must also complete the following:
Use approved secure payment applications which undergo rigid security evaluations before being deemed secure enough to process credit card transactions. These apps must be installed and maintained by an approved third-party provider, and they must be kept current with all applicable PCI DSS security patches.
PCI Compliance Level 3 – A Moderate Level of Security Requirement
To achieve compliance with Level 3 of the PCI Data Security Standards, you must have an on-site security assessment every year.
Use approved secure payment applications which undergo rigid security evaluations before being deemed secure enough to process credit card transactions. These apps must be installed and maintained by an approved third-party provider, and they must be kept current with all applicable PCI DSS security patches.
PCI Compliance Level 4 – The Least Stringent Level of Security Requirement
To achieve compliance with Level 4 of the PCI Data Security Standards, you must complete a self-assessment questionnaire (SAQ) every year. In addition to completing a SAQ, Level 4 merchants must also complete the following:
Use approved secure payment applications which undergo rigid security evaluations before being deemed secure enough to process credit card transactions. These apps must be installed and maintained by an approved third-party provider, and they must be kept current with all applicable PCI DSS security patches.
Comments