What Is PCI Level 1 Compliance?

What Is PCI Level 1 Compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance is essential for any e-commerce business, but did you know that there are different degrees of PCI compliance? When choosing a merchant services provider or payment gateway, Level 1 PCI compliance is the gold standard. In some cases, you may also be required to have this level of protection for your site.

What Is PCI Compliance?

PCI compliance refers to a set of initiatives established by the PCI Security Standards Council (PCI SSC) to protect customers’ debit and credit card data. The following 12 requirements were established to protect e-commerce websites from cyber threats and payment card fraud:

  1. You need a secure firewall.
  2. You need secure passwords for sensitive logins.
  3. You must take steps to secure cardholder data.
  4. All transactions must be encrypted.
  5. You must install and maintain current antivirus software.
  6. You must ensure that your internal systems and apps are secure at all times.
  7. You must only make cardholder data available to essential users.
  8. Each user with back-end access to your store must have a unique ID.
  9. You must restrict physical access to cardholder data.
  10. You must track and monitor all user access to cardholder information.
  11. You must test and audit your security systems on a regular basis.
  12. You must maintain an active cybersecurity policy.

Every e-commerce business is required to abide by these standards to be PCI compliant. However, large businesses and service providers that process a large volume of transactions are required to be even more stringent than their smaller counterparts when applying these standards and demonstrating their compliance. That’s where the PCI compliance levels come in.

What Are The PCI Compliance Levels?

There are four PCI compliance levels for merchants and two for service providers. The level of compliance required depends on:

  • The number of transactions the merchant or service provider processes each year
  • Whether the business has had a breach or cyberattack in which cardholder or credit card information was compromised

Level 1 PCI compliance is required for:

  • Businesses that process more than 6 million card transactions annually
  • Service providers that process more than 300,000 transactions annually

Level 2 PCI compliance is required for:

  • Businesses that process between 1 and 6 million card transactions annually
  • Service providers that process fewer than 300,000 transactions annually

Level 3 PCI compliance is required for:

  • Businesses that process 20,000 to 1 million card transactions annually

Level 4 PCI compliance is required for:

  • Small businesses that process fewer than 20,000 card transactions annually

PCI DSS Level 1 compliance requires more rigorous validation methods (described below) compared to the other PCI compliance levels, which can be satisfied with internal validation methods such as the Self-Assessment Questionnaire (SAQ) and don’t require an external audit. Level 1 PCI compliance is the level you want to look for in a merchant services provider or payment gateway.

What Is PCI Level 1 Compliance?

PCI Level 1 compliance is the most stringent of the four PCI merchant compliance levels. The PCI DSS defines PCI Level 1 compliance as a requirement for every merchant that processes:

  • A minimum of 6 million Visa, Mastercard, or Discover transactions per year
  • A minimum of 2.5 million American Express transactions per year
  • A minimum of 1 million JCB transactions per year

This level of compliance is also required for any business that has suffered a security breach or cyberattack during which cardholder data was compromised.

In addition to the standard PCI compliance requirements, PCI Level 1 organisations must submit:

  • An Annual Report on Compliance (ROC): This report must be completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). The purpose of the ROC is to confirm to the PCI DSS that your organisation is meeting or exceeding all PCI standards. Though all e-commerce businesses are required to meet the standards, not all businesses are required to undergo these formal audits.
  • A quarterly network review: These scans must be conducted by an Approved Scanning Vendor (ASV). Approved Scanning Vendors are individuals and organisations that are certified by the PCI Security Standards Council to scan websites in search of external vulnerabilities that could be exploited by cyber threats.
  • An Attestation of Compliance form: This is a short form that confirms compliance with all 12 security standards noted above. Like the ROC, The AoC form is typically completed by a Qualified Security Assessor (QSA) and submitted to the acquiring bank and the PCI Security Standards Council. It may be submitted in addition to or in place of the ROC.

All audit results must be submitted to the company’s acquiring bank for acceptance and verification.

What Is a PCI Level 1 Service Provider?

There are two types of businesses that require PCI compliance: merchants and service providers. Merchants are businesses that accept credit card payments from retail customers. Service providers are the businesses that make it possible to accept payments, including:

  • Merchant services providers
  • Payment processors
  • Payment gateway providers
  • Acquiring banks

For service providers, the requirements for Level 1 compliance are a bit different. Level 1 PCI compliance is required for service providers that process more than 300,000 credit card transactions per year, as mentioned earlier in the article. Like Level 1 merchants, Level 1 service providers must submit an annual ROC, quarterly network scan, and Attestation of Compliance form. Penetration testing and internal vulnerability scanning (in addition to the standard external scans) are also required.

Stay Safe and Opt for Level 1 PCI Compliance

Most merchants can get by with the basics of PCI compliance. But when choosing a service provider for your e-commerce business, PCI Level 1 compliance should be a priority. When tasking a business with the responsibility of securing your customers’ credit card transactions, you want to ensure that they’re held to the highest level of scrutiny and accountability.

Air Europa was fined €600,000 by the Spanish Data Protection Agency (DPA) for a 2018 data breach that left its customers’ bank card data exposed. When you understand the severity of the threat and what’s at stake, it’s easy to see why you want to ensure the highest level of cybersecurity at all times.