The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect customer credit card data by maintaining a secure credit card processing environment. Businesses that are not PCI compliant may be subject to fines, sanctions, and loss of privileges from the clearinghouse that processes credit card payments. Businesses that fail to protect customer data can also be subject to lawsuits and governmental prosecution.
PCI Compliance merchant standards are divided into 4 individual security PCI compliance levels. Merchants verify their credit card processing level through their bank or clearinghouse that handles their credit card processing transactions. The level is determined by measuring how many VISA or Mastercard transactions occur over a 12 month period. The Payment Card Industry uses the merchant level to determine the appropriate security measures the merchant must follow based on risk to the cardholder. The amount of annual credit card processing transactions determine your PCI Compliance security level as follows:
Level 1 – Over 6 million VISA transactions per year or VISA designates the merchant as a Level 1 merchant
- Validated by Report on Compliance (ROC) and by a Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company. The ROC is used to verify that the merchant being audited is compliant with the PCI DSS standard. PCI DSS policies and procedures were developed to enhance the security of card-based transactions and protect cardholders against fraud and other misuses of their personal information. PCI DSS was created as a collaborative effort of Visa, MasterCard, Discover and American Express. The ROC must be filled out by the PCI Qualified SecurityAssessor (QSA) who has audited the merchant. The form is then submitted to the merchant’s acquiring bank for acceptance. Once the merchant’s acquiring bank has accepted the ROC, it sends the document on to Visa for compliance verification.]
- Quarterly network scan by Approved Scan Vendor.
- Attestation of Compliance Form.
Level 2 – 1 million to 6 million VISA or MasterCard transactions per year. Validated by an Annual Self-Assessment Questionnaire, a quarterly network scan by an Approved Scan Vendor and an attestation of compliance form.
Level 3 – 20,000 to 1 million VISA transactions per year. Validated by VISA and MasterCard by an Annual Self-Assessment Questionnaire (SAQ), Quarterly network scan by an Approved Scan Vendor and an Attestation of Compliance Form.
Level 4 – Less than 20,000 e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year. Validated by an annual self-assessment questionnaire, a quarterly network scan by and Approved Scan Vendor and an Attestation of Compliance Form.
Posted 2019-05-04.