In 2006, the PCI Security Standards Council, or PCI SSC, created different levels for organizations to consider if they are applying for a certification.
These levels are based on the number and type of credit card transactions businesses go through per year.
The PCI SSC created this to acknowledge the security risks merchants and customers go through as the number of credit card transactions rises.
The fewer the transactions, the lower the level your organization belongs to.
What is PCI-DSS Level 1?
PCI-DSS Level 1 is one of four PCI-DSS compliance levels created to protect the security of a client’s credit card data. Depending on the credit card company, PCI-DSS defines a “Level 1” merchant as those that process over six million, 2.5 million, or one million card transactions per year.
This term also applies to those corporations that suffered from a data breach or cyberattack that resulted in the loss of data.
How do merchants comply?
The list of requirements needed for PCI-DSS compliance is very few, but it is also a complicated process. It is with good reason, though.
The customers’ personal information is at stake every time a card transaction is being made with your business. Therefore, companies must do what they should to protect that data.
Always remember that a data breach could damage your company’s reputation and could bring fines and lawsuits to your organization.
Here are the criterias and requirements you must consider to apply for a PCI-DSS certification.
Criteria
As stated before, PCI-DSS Level 1 merchants are those organizations that process over six million transactions annually. Additionally, it also depends on which payment or credit card brands the merchant accepts.
Visa Inc. International, MasterCard Worldwide and Discover Financial Services define Level 1 merchants as those processing more than 6 million credit card transactions per year.
American Express’ criteria for a Level 1 is 2.5 million transactions per year.
While JCB International’s Level 1 businesses start at 1 million credit card transactions per year.
An organization who had suffered from a data breach or cyberattack that resulted in a compromised credit card must also meet level 1 requirements – no matter their size or how they process, store or transmit card transactions.
Requirements
The requirements for a Level 1 merchant are as follows:
- Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor, should be done annually
- Network scan by Approved Scan Vendor (ASV), should be done quarterly
- Completed Attestation of Compliance form
Merchants must also report the audit results to their acquiring bank.
The yearly assessment consists of several steps made by the QSA, including an examination of your business’ point of sale system, a detailed review of the areas your company is vulnerable in, and a list of improvements you should make to prevent future attacks.
Your job once the assessment is over, is to develop security protocols that will monitor your systems for compliance going forward.