PCI DSS compliance is of increasing concern to many merchants. Whether you are a traditional "brick and mortar"
merchant, an online merchant, or some combination of the two, understanding which PCI compliance level applies to your
business is the first step in assuring that your PCI compliance audits will be as simple as possible.
PCI Compliance Levels
Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year,
and whether those transactions are performed from a brick and mortar location or over the Internet. Remember: all merchants
that process credit cards―whether small or large―must be PCI compliant.
Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has
their own requirements and definitions of PCI compliance levels. Even though the PCI Security Standards Council (PCI SSC)
developed these standards, compliance is actually mandated by the individual payment card brands - Visa, MasterCard, American
Express, Discover and JCB International.
To give you a general idea of how to determine your PCI compliance level, here are Visa's PCI compliance level definitions:
- PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
- PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
- PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
- PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
We've written a comprehensive article on the different
PCI compliance requirements,
deadlines and level definitions for each payment card brand.
Storefront merchants categorized as PCI compliance levels 2,3, and 4 must complete an annual self-assessment questionnaire
(PCI SAQ) in addition to a
required quarterly network scan performed by an approved scanning vendor. The nature of the questionnaires, as well as the deadlines
for reaching PCI compliance, varies slightly depending on whether the merchant falls into PCI Compliance level 2, 3, or 4, but the
basic requirements remain the same.
Internet-based merchants are also divided into PCI compliance levels 1- 4, with each PCI compliance level defined by the same
transaction volumes as those for "brick and mortar" merchants. In addition, internet-based merchants at each PCI Compliance
level must undergo a quarterly vulnerability scan performed by an approved scanning vendor. Though some PCI Compliance Level 1
internet-based merchants may be able to perform annual self-assessments (with the permission of their processor and card brand), the
vast majority of internet-based merchants will be held to these PCI Compliance expectations.
PCI Compliance Solutions
Offering solutions that best fit your needs, Element Payment Services can dramatically reduce your PCI Compliance burden. Whether
you're a storefront merchant or an internet-based merchant, Element's secure payment
processing system provides credit card encryption and off-site storage of sensitive cardholder data (tokenization), making
complying with PCI DSS easier.
If you have further questions, or would like to know more about Element's PCI Compliance solutions, please
contact us. Our PCI compliance experts are standing by.