Are you confused about which of the PCI DSS merchant levels applies to your company? Let’s clear things up.
If your organization processes, stores, or transmits cardholder data for the major credit card brands, you are required to be compliant with PCI DSS. While PCI DSS is not required by U.S. federal law – it is an industry standard mandated by the credit card companies – but some states have laws that refer to PCI DSS explicitly or contain equivalent mandated standards. Additionally, being found out of compliance can put your company in the crosshairs of the FTC.
The PCI DSS mandates that organizations follow 12 requirements, all categorized into one of six goals. Additionally, there are four PCI DSS merchant levels, which determine the type of validation an organization needs for their PCI DSS compliance. They are primarily determined according to a company’s risk profile and are as follows:
Merchant Level 1 applies to companies that handle more than six million Mastercard or Visa transactions annually. This merchant level also applies to companies that have experienced an attack resulting in compromised card data or that have been deemed a Level 1 by a card association.
Merchant Level 2 applies to companies that handle between one and six million Mastercard or Visa transactions annually.
Merchant Level 3 is for companies that handle between 20,000 and one million e-commerce Mastercard or Visa transactions annually.
Merchant Level 4 companies process (1) fewer than 20,000 Mastercard or Visa e-commerce transactions annually or (2) up to one million Mastercard or Visa transactions annually.
PCI DSS Merchant Level Validation Requirements
Levels 2 and 3 have very similar validation requirements:
- An annual self-assessment using the applicable self-assessment questionnaire (SAQ)
- A quarterly network scan by an approved scanning vendor (ASV)
- An Attestation of Compliance form
Merchant Level 4 validation standards are dictated by the organization’s acquiring bank. Typically, the bank will require, at minimum, an annual SAQ and quarterly scans by an ASV.
Then, there’s Merchant Level 1. Because of the higher level of risk these companies pose, either due to dealing with a very large number of transactions or having previously been breached, they are not allowed to self-assess. In addition to a quarterly scan by an ASV and an Attestation of Compliance form, Merchant Level 1 companies must undergo an annual audit, known as a Level 1 onsite assessment, conducted by a certified PCI DSS Qualified Security Assessor (QSA) such as Lazarus Alliance.
The QSA evaluates the Merchant Level 1 company’s IT policies and procedures, payment applications, and card data network environment, compiling a detailed assessment of vulnerabilities and a list of improvements to prevent breaches. At the end of the audit process, the QSA prepares a Report on Compliance (ROC) to be submitted to the company’s acquiring bank. Before the ROC is submitted, the QSA works with the organization being audited to address any issues that were noted.
What happens if you breach a Merchant Level requirement?
If you breach a PCI DSS Merchant Level requirement, the card associations can punish your company by slotting it into a higher Merchant Level. It’s very important to correctly classify your company and ensure that you are using the correct validation process for your Merchant Level.
The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.