Understand PCI compliance levels
If you process credit cards, you can’t avoid dealing with PCI (Payment Card Industry) compliance—and the best thing you can do is educate yourself so your business and systems adhere with these important guidelines at all times. All merchants fall into one of four merchant PCI compliance levels, which are determined based on your Visa transaction volume and type over the period of a year. Visa transactions include all credit, debit and prepaid cards with the Visa logo.
Let’s take a look at how merchants are classified into the four levels.
PCI Compliance Level 1 Merchant
- Any merchant that processes over 6 million Visa transactions per year (regardless of the processing channel: in-store, online, etc.)
- Any merchant that Visa determines should be a Level 1 merchant to minimize risks to the Visa system
Due to their high annual processing volumes, Level 1 Merchants must take the greatest efforts to secure their processing systems. These merchants must complete annual on-site reviews by an internal auditor and successfully pass a required network scan by an approved scanning vendor.
PCI Compliance Level 2 Merchant
- Any merchant that processes 1 million to 6 million Visa transactions per year (regardless of the processing channel: in-store, online, etc.)
PCI Compliance Level 3 Merchant
- Any merchant that processes 20,000 to 1 million Visa eCommerce transactions per year
PCI Compliance Level 4 Merchant
- Any merchant that processes fewer than 20,000 Visa eCommerce transactions per year
- Any merchant that processes up to 1 million Visa transactions per year (regardless of the processing channel: in-store, online, etc)
Note that any merchant that has suffered a data breach of sensitive card data may be escalated to a higher validation level.
Maintaining Level 4 Classification
To satisfy the requirements of being classified as a Level 4 Merchant, a small to medium-sized business must:
- Complete the appropriate Self Assessment Questionnaire (SAQ) from the PCI Security Standards Council (SSC)
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC-approved scanning vendor (not applicable to all merchant types)
- Complete the appropriate Attestation of Compliance in its entirety (located within the SAQ)
- Submit the SAQ, evidence of passing the vulnerability scan (if required for your business type), the Attestation of Compliance and other requested documentation to your acquirer
Level 2, 3 and 4 Merchants must keep their annual SAQ current and conduct quarterly vulnerability scans with an approved scanning vendor.
For more information on achieving and maintaining PCI compliance, check out the PCI Security Standards Council website. Remember that PCI compliance is not a one-time solution, but rather a practice in which your business must be continually engaged in order to ensure compliance. Contact your payments processor for help in meeting the criteria.