Discover which compliance level applies to your organization so you can save time on audits and paperwork
From ordering groceries to paying bills, people are more comfortable paying for goods and services online than ever before. Americans spent nearly $871 billion online in 2021, and this is in large part due to the security standards put in place by the Payment Card Industry Security Standards Council (PCI SSC).
The PCI SSC represents the major players in the payments industry, like Visa and MasterCard. These organizations have joined forces to develop the Payment Card Industry Data Security Standards (PCI DSS) for merchants accepting credit card payments over the internet to protect account data. Read on to learn about the four levels of PCI compliance, which industries they cover, and how your organization can meet them.
How Does PCI Compliance Work?
PCI compliance standards cover various aspects of network and data security, including point-to-point encryption, robust password requirements, and multi-factor authentication. Meeting these security standards is not legally required but is often mandated by payment service providers through merchant agreements to accept and process online credit card payments.
While the actual security standards are shared across payment card companies, the requirements for meeting certain compliance thresholds are not. Each company maintains its own list of PCI compliance levels based on the annual number of online transactions a business makes. Each level determines the complexity of the audit and the stringency of security requirements. Most companies have four levels of compliance, though some — like Discover — may only have three.
Since Visa is the most popular credit card network in the world, we will use their compliance levels as an example in this article, but be sure to visit the following links for more specific information regarding each payment card company’s PCI compliance requirements:
No matter which company, if you accept, process, store, or transmit card information, you need to be PCI compliant. Let our free checklist walk you through each of the 12 steps:
Levels of PCI Compliance
PCI Level 1 Compliance: For Global Retailers and Enterprises
PCI compliance Level 1 is the most strict and is reserved for the largest companies and conglomerates, many of whom operate on a global scale. Visa requires any business processing over six million transactions per year to achieve Level 1 compliance. Many payment processors also require merchants that have suffered data breaches to undergo the Level 1 compliance process to prove they have security measures to protect their accounts.
To become Level 1 compliant, businesses must annually complete the following:
- File a Report on Compliance (ROC): An ROC is an audit conducted by a third-party agent known as a qualified security assessor (QSA). Visa also allows this report to be completed by an internal agent if a company officer signs the audit. This audit is a thorough assessment of internal controls and systems that handle card data, as well as the organization’s security posture, to ensure they are in line with PCI requirements. PCI SSC provides a template as an example of what organizations can expect during an audit.
- File an Attestation of Compliance (AOC): This is a certification made by the organization that its systems and processes comply with PCI standards. The QSA may take care of filing the AOC form during the audit process, or internal staff may submit it directly.
PCI Level 2 Compliance: For Regional and Mid-Sized Enterprises
A step down from the strict requirements of Level 1 compliance, Level 2 is reserved for businesses that process anywhere between one million and six million annual online payment transactions.
Organizations who fall within this compliance category must complete the following every year:
- File a Self-Assessment Questionnaire (SAQ): This document asks organizations a series of questions about how they process credit cards, whether they partner with third-party service providers, and demonstrate whether the organization has met specific PCI requirements. This is an internal evaluation — organizations do not need to bring in a QSA to complete the questionnaire.
- File an AOC.
PCI Level 3 Compliance: For Medium-Sized Businesses
For Visa, Level 3 compliance is very similar to Level 2 compliance. The most significant difference is in the number of annual transactions — Level 3 is reserved for businesses that process between 20,000 and one million annual transactions.
Organizations must do the following yearly to achieve and maintain Level 3 compliance:
- File an SAQ.
- File an AOC.
PCI Level 4 Compliance: For Small, Local Businesses
PCI compliance for small businesses is far less stringent than any other compliance level and is reserved for organizations that process fewer than 20,000 annual transactions.
For Visa, organizations must complete one of the following every year:
- File an SAQ or;
- An “alternate verification exercise” as required by the bank which receives merchant funds. These exercises can differ based on the bank but may involve confirming the use of PCI-certified Qualified Integrators and Resellers (QIRs) to install and integrate payment processing systems.
Need to brush up on the basics of PCI Compliance? Check out The Complete Guide to PCI Compliance.
Need to Get Compliant? DuploCloud Can Help
Achieving PCI compliance is a difficult task, especially when Platform Engineering teams manually configure security controls for their cloud-native applications. At DuploCloud, we simplify the process for organizations of any size to speed up the compliance process, enabling them to iterate and bring their ideas to market faster than ever.
DuploCloud is an all-in-one DevSecOps Automation platform that accelerates infrastructure provisioning and automatically maps security controls to PCI DSS, ensuring that applications comply with stringent security requirements. And since PCI DSS encompasses many of the security requirements for SOC-2, GDPR, HIPAA, and HITRUST, you can be confident that your applications meet various compliance needs. Read our PCI compliance whitepaper today and see how DuploCloud can improve deployment times and reduce your cloud operating costs by up to 70%.
