Understanding the 4 levels of PCI compliance

Standards are important. They allow consumers and businesses to operate with confidence and keep any potential wolves from the door. When it comes to payment data, standards are particularly important as it’s the kind of valuable information that can ruin livelihoods if it falls into the wrong hands.

All businesses that collect and use payment information must conform to the Payment Card Industry Data Security Standard (PCI DSS). This is a standard engineered by the major credit card companies to ensure their user’s data remains safe and secure, regardless of where or by whom it’s being processed.

How many levels of PCI compliance are there? There are four, because companies that process millions of transactions a year are far more likely to be a target for criminals than those that only process a few thousand. The framework itself applies to all companies, however, regardless of size.

What are the four levels of PCI compliance?

Every business will have a different level of risk for data breaches depending on how many card payments they process. For this reason, PCI compliance levels are based on how many card transactions a year are made annually across all business channels.

Note that most merchants large enough to qualify for level 3 or above will most likely have their own internal compliance teams to monitor their levels of PCI compliance. The vast majority of SMEs are classed as level 4. While checks are not likely to be made on these businesses, the consequences of non-compliance can include some hefty fines if breaches are made and the business found to be non-compliant.

PCI level 4 merchants

Any merchant that processes no more than 20,000 card transactions a year qualifies for level 4 status. They must complete an annual self-assessment questionnaire, a quarterly network scan by an approved scanning vendor and an attestation of compliance form.

PCI level 3 merchants

Any merchant that processes between 20,000 and 1 million card transactions a year qualifies for level 3 status. They must do everything required of level 4 merchants but have more complex requirements due to the size of the business.

PCI level 2 merchants

Any merchant that processes between 1 and 6 million card transactions a year qualifies for level 2 status. They must do everything required of level 3 merchants and have more complex requirements due to the size of the business.

PCI level 1 merchants

Any merchant that processes more than 6 million card transactions a year or has suffered a data breach in the past 12 months qualifies for level 1 status. They must do everything required of level 2 merchants and will also need to complete an annual third-party audit and report on compliance through a qualified security assessor. It is significantly more comprehensive than the self-assessment questionnaire required of all other merchant levels.

What level of PCI DSS compliance do I need?

All merchants that accept credit card payments from either Visa, MasterCard, JCB, Discover or American Express need to determine their PCI compliance level. Your PCI level is determined by the number of annual credit card transactions made and whether a data breach has occurred in the past 12 months.

How to maintain PCI compliance

PCI compliance is an ongoing consideration, and much of the onus rests on the business owner. The best way to ensure your business remains compliant is to keep your computer networks secure, conduct regular security checks, update passwords every month and train your employees in best data security practises.

Only then can you cultivate a culture of security and compliance that will keep your business and your customers safe from criminal entities.

We can help

If you’re interested in finding out more about PCI compliance, or any other aspect of your finances, then get in touch with our financial experts at GoCardless. Find out how GoCardless can help you with ad hoc payments or recurring payments.