Comprehensive Guide to the Four Levels of PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for protecting credit and debit card information. The standard was created in 2006 by the major credit card companies, including Visa, Mastercard, American Express, and Discover.

There are four levels of PCI compliance, each with its own set of requirements. If you are processing, transmitting, or storing card data in any form, your organization will need to be compliant at one level or another.

This guide will walk you through each of the four levels and explain how you can achieve compliance. We’ll also give advice for handling cases when noncompliance is detected, including what to expect during a compliance audit and what to do if your security is compromised.

What you’ll learn:

The four levels of PCI Compliance, from lowest to highest

Level 1: The Lowest Level of PCI Compliance

If you are processing less than 1,000,000 transactions per year and the credit or debit card data is not stored, transmitted, or processed electronically, you will be compliant at the lowest level of PCI compliance, known as Level 1.

There are six specific controls that you will need to implement in order to be compliant at this level:

• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or malware protection
• Develop and maintain secure systems and applications

Level 2: PCI Compliance for Merchants Processing up to 1,000,000 Transactions per Year

If you are processing between 1,000,000 and 6,000,000 transactions per year, you will need to be compliant at Level 2. This level has 12 specific controls that you will need to implement:

• Install and maintain a firewall configuration to protect cardholder data
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or malware protection
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Require re-authentication for privileged account access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

Level 3: PCI Compliance for Merchants Processing 6,000,000-20,000,000 Transactions per Year

If you are processing between 6,000,000 and 20,000,000 transactions per year, you will need to be compliant at Level 3. This level has 24 specific controls that you will need to implement:

• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or malware protection
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Require re-authentication for privileged account access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Require re-authentication for privileged account access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

Level 4: PCI Compliance for Merchants Processing More Than 20,000,000 Transactions per Year

If you are processing more than 20,000,000 transactions per year, then you will need to be compliant at Level 4. This level has 36 specific controls that you will need to implement:

• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or malware protection
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Require re-authentication for privileged account access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel
• Deploy Secure Socket Layer (SSL) or early Transport Layer Security (TLS)
• Encrypt credit card numbers, expiration dates, and other sensitive information

During transmission

• Use and regularly update anti-virus software or malware protection
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Require re-authentication for privileged account access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

There are four levels of PCI compliance, each with its own set of specific controls that you will need to implement in order to be compliant. If you do not implement all of the specific controls for your level of compliance, then you will be still be at risk for data breaches and potential fees.