If your company is going up against PCI DSS, your acquirer (also known as your merchant bank) requires you to be compliant at one of the four levels within PCI. Process enough credit card transactions in a year, and you could be required to meet Level 1, which impacts your organization’s assessment and reporting requirements.
This article will walk you through the implications of a Level 1 requirement under card brand requirements — and the surprising reasons you may opt to act as if you’re Level 1, even if you aren’t.
Check out TCT’s complete guide to PCI DSS Certification
The Four Levels of PCI DSS
If you’re thinking that the four levels of PCI sound a lot like the nine circles of hell, don’t worry — it’s not that bad.
Every organization that’s certified under PCI DSS is categorized within one of four levels (aptly named levels 1-4). These levels are based on your credit card transaction volume per year. In other words, your level coincides with the number of transactions being processed under your merchant account within a given year.
- Level 1 — more than 6 million transactions across all channels
- Level 2 — 1 to 6 million transactions across all channels
- Level 3 — 20,000 to 1 million ecommerce transactions
- Level 4 — fewer than 20,000 ecommerce transactions, and all other merchants that process up to 1 million transactions (any channel, not ecommerce)
These levels of PCI were created by the card brands for use by the sponsoring banks, who sponsor the merchant accounts. These banks are ultimately responsible for managing their portfolios, and they have certain internal quality measures that they need to monitor in the management of their portfolios.
For the sponsoring banks, an element of risk is associated with each level of PCI — more transactions mean more risk. Sponsoring banks pay very close attention to the distribution of risk among all the accounts in their portfolios. If the distribution is top heavy, they may make strategic adjustments.
Pay Attention to Level 1 Status
For the most part, when your organization is between levels 2 and 4, there isn’t a material impact, unless your organization is categorized as a Level 1 merchant. Because this level represents the most risk, Level 1 organizations are required to engage with a Qualified Security Assessor (QSA), and they must submit a Report on Compliance (ROC), which can only be filled out by a QSA.
At Levels 2 through 4, organizations are required to fill out a Self Assessment Questionnaire (SAQ). You can choose to self-attest, gain the assistance of an Internal Security Assessor (ISA) or hire a QSA at these levels. Level 1 mandates the use of a QSA, and a Self Assessment Questionnaire (SAQ) will not suffice at this level.
To manage the risk of their portfolio, merchant banks are ultimately responsible for determining the assessment validation requirements for each of their merchants. They may mandate that Level 2 or 3 organizations follow Level 1 requirements. So you could receive a notification that you are now required to go through QSA-led assessments, even if you had fewer than 6 million transactions in the previous year.
Why You May Not Want to Self-Assess, Even if You Can
If you’re a Level 2-4 organization, you can choose the simpler option of self-assessing. But you might want to think twice about that.
If you’re a pizza shop with a phone line and a swipe terminal, you have much fewer responsibilities in complying with the PCI DSS. On the other hand, if your business has a custom ecommerce platform and you’re storing the credit cards on your own systems in your own server room, then your technical responsibilities to protect cardholder data have skyrocketed.
If you’re self-assessing and you have more complexities, you could be courting trouble for yourself. Here’s why.
PCI DSS offers several versions of the self-assessment questionnaire, and each one is based on the ways that your company handles card data. When you sign off on the questionnaire, you attest that you’re using the proper form for your business, based on the requirements that you need to meet under PCI DSS.
Better yet, all of the signoff forms, whether they’re a ROC or any flavor of SAQ, require organizations to confirm they will maintain PCI DSS compliance, as applicable to their environment. In other words, you’re required to be compliant with the full breadth of the PCI DSS, regardless of which form you actually filled out.
If you’ve chosen the appropriate form, it will direct you to the applicable requirements your organization needs to fulfill. But if you’ve miscategorized your company, then you aren’t taking into account all of the applicable requirements.
Organizations can get into trouble when they don’t fill out the right paperwork based on their circumstances, or they don’t perform all of the tasks that they’re supposed to be doing based on the appropriately designated circumstances.
I’ve seen organizations decide to fill out a certain version of the SAQ form, because it looks easier to complete than other versions of the form. As soon as they have a problem, they’re in hot water. They don’t have a leg to stand on when the realm they’re having a problem with is really applicable to their organization, yet isn’t even covered under their paperwork.
While some organizations are mandated to go down the Level 1 path, any organization can elect to head down the Level 1 route. Using a QSA for your PCI assessments ensures that you aren’t miscategorizing your company and gives you peace of mind that you’re following PCI DSS correctly.
Another less expensive alternative is to gain the expertise of a good security and compliance consultant all year long, to guide your organization and ensure that operationally you’re approaching your compliance endeavors appropriately.
As an example, TCT isn’t a Level 1 merchant, but we’ve elected to go up against a Level 1 assessment, even though we’re experts in PCI DSS compliance. Why would we do that? Because we care about protecting all of the sensitive information our customers trust us with — whether it’s sensitive configuration information about their systems, intellectual property, personally identifiable information, or other sensitive data.
It is of utmost importance to us that we establish the highest protections possible, and that includes going up against PCI DSS Level 1 — with a scope of Sensitive Data, which covers the information that our Clients load up to the TCT Portal.
Furthermore, opting for Level 1 allows us to share an Assessor-validated annual assessment with our clients. Our clients don’t have to take us at our word with a Self Assessment Questionnaire — they have our Qualified Security Assessors’ third party’s attestation that we’re compliant with the entirety of PCI DSS.
TCT cares about security and compliance. We want our customers to know that we take this stuff seriously — and we can prove it.
Need expert guidance on managing a PCI DSS engagement? Check out our ebook, Get Your Sh*t Together for PCI DSS.