The Payment Card Industry Data Security Standards – PCI-DSS level 1, 2, 3, 4 refers to a set of security standards.
This was created by MasterCard, Visa, Discover Financial Services, American Express and JCB international in the year 2004.
It pertains to the compliance scheme that seeks to secure both online credit and debit card transactions from fraudulent acts and data theft.
PCI-DSS compliance also applies for both merchants and service providers. Further, it is also divided into levels 1, 2, 3 and 4. Each level is based on the total number of debit and credit card transactions each business processes yearly:
- Level 1 – Over 6 million transactions per year.
- Level 2 – Between 1 to 6 million transactions per year.
- Level 3 – Between 20,000 and 1 million transactions per year.
- Level 4 – Less than 20,000 transactions per year.
Level 1 Merchants: criteria and requirements
As per PCI-CSS, merchants are the entities that are responsible for accepting payment cards that have the logos of any of the five members of the PCI-DSS. The specified payments are for certain goods and/or services.
As for Merchants’ level 1 compliance and certification, here are the criteria and requirements that are needed:
Criteria
- These are merchants that process over 6 million Visa, MasterCard, or Discover transactions annually through any payment channel
- Merchants that are processing more than 2.g million American Express transactions annually.
- Merchants that are processing more than 1 million JCB transactions annually.
- Merchants that are classified by another card brand as Level 1.
- Merchants that experienced a cyberattack or data breach that ended in cardholder data (CHD) being discredited.
Requirements
- Completed Attestation of Compliance (AoC) form.
- Quarterly network scan by any Approved Scanning Vendor (ASV).
- Annual Report on Compliance (RoC) from a Qualified Security Assessor (QSA) or ISA accredited staff for MasterCard.
Level 1 Service Provider: criteria and requirements
For service providers, PCI-DSS define them as business entities that are not a payment brand. These are not directly involved in the processing, storage, or transmission of any cardholder data. These are entities that provide services like the internet to merchants and acquiring banks.
As for service providers’ level 1 compliance and certification, here are the criteria and requirements that are needed:
Criteria
- Stores, transmits, or processes more than 300, 000 credit card transactions per year.
Requirements
- Internal scan
- Penetration test
- Completed Attestation of Compliance (AoC) form.
- Quarterly network scan by any Approved Scanning Vendor (ASV).
- Annual Report on Compliance (RoC) from a Qualified Security Assessor (QSA).
Note that every business that processes credit card and debit card transactions is required to have a certification from PCI-DSS. This also helps organizations to have a long lasting relationship with their customers as they are able to gain their trust.