PCI DSS: 4 Compliance Levels & 12 Requirements
If your business takes card payments from customers, you must ensure your procedures comply with Payment Card Industry Data Security Standards (PCI DSS). These rules set the minimum standards for payment data security.
Here’s what you need to understand about the PCI DSS and how to find a payment processor that provides the security your business needs to meet the requirements.
What is PCI DSS?
The PCI DSS requirements are a global set of best practices set out by credit card companies to ensure a baseline level of protection for payment cardholders’ data.
The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006 by the five major credit card associations Visa, Mastercard, American Express, Discover Financial Services and JCB to align their data security standards. They aim to make the management of consumers’ card data safer, to reduce the risk of data breaches and fraud.
Vulnerabilities that can compromise customers’ personal data can occur anywhere in the card-processing system, including point-of-sale devices, mobile devices, computers and servers, paper-based record storage and data transmission to service providers.
The PCI DSS standards describe the technical and operational requirements that all merchants and other organisations must meet when accepting or processing card payments. Software developers and manufacturers that provide applications and devices to process transactions are also subject to these regulations.
PCI DSS compliance addresses three main aspects of card data security:
- Data handling. Cardholders’ sensitive account information must be collected and transmitted securely.
- Data storage. Card data must be stored securely through encryption and monitoring.
- Data validation. Organisations must validate their security controls annually to ensure they remain compliant.
The starting point for achieving PCI DSS compliance is understanding which requirements apply to your business. You must then assess the security of your data collection and storage, fix any vulnerabilities or security gaps, submit reports providing evidence of compliance, and implement data monitoring and alerting systems to ensure security controls function effectively.
PCI DSS compliance levels based on transaction volume
Whether an organisation must adhere to the requirements does not depend on the volume of transactions it processes — if an organisation receives any card payments or financial data, then it must comply with PCI DSS. Organisations that do not receive payment data directly, as they use a payment gateway or payment service provider, do not need to comply.
Where the volume of transactions processed comes into play is when looking at which specific PCI DSS requirements an organisation must meet, and there are four levels of compliance.
Level 1
This is the strictest level of compliance and applies to organisations that process more than 6 million transactions per year for Visa or Mastercard or 2.5 million+ for American Express. This also applies to organisations with fewer transactions that have experienced a data breach or are assigned Level 1 by a card association.
Level 1 requirements:
- Organisations must submit an annual Report on Compliance (ROC) conducted onsite by a Qualified Security Assessor (QSA) or internal security auditor (ISA). An ISA can be a member of the organisation who has been trained to carry out the assessment and liaise with external auditors.
- An approved vendor must carry out a quarterly network scan of organisations’ computer systems and inform them of potential security issues.
- Organisations must undergo a cybersecurity assessment at least once every year to check their infrastructure for potential vulnerabilities.
- Organisations must submit an Attestation of Compliance (AOC) form stating compliance. Merchants and service providers complete specific forms.
Level 2
This level of requirements is for organisations that process between 1 million and 6 million transactions per year.
Level 2 requirements:
- Organisations do not need to complete an onsite audit but must complete a Self-Assessment Questionnaire (SAQ). There are nine different types of SAQs, depending on how the organisation processes payment cards and handles cardholder information.
- An approved vendor must carry out a quarterly network scan of organisations’ computer systems and inform them of potential security issues.
- Organisations must undergo a cybersecurity assessment at least once every year to check their infrastructure for potential vulnerabilities. Service providers must be tested every six months.
- Organisations must submit an Attestation of Compliance (AOC) form stating compliance. Merchants and service providers complete specific forms.
Level 3
Level 3 of PCI DSS applies to organisations that process between 20,000 and 1 million transactions per year.
Level 3 requirements:
- Organisations do not need to complete an onsite audit but must complete a Self-Assessment Questionnaire (SAQ). As above, there are nine different types of SAQs, depending on how the organisation processes payment cards and handles cardholder information.
- An approved vendor must carry out a quarterly network scan of organisations’ computer systems and inform them of potential security issues.
- Organisations must submit an Attestation of Compliance (AOC) form stating compliance. Merchants and service providers complete specific forms.
- Note that JCB International does not have Level 3, so merchants processing less than 1 million JCB transactions annually must meet Level 2 compliance.
Level 4
Lastly, organisations that process less than 20,000 transactions per year must comply with Level 4.
Level 4 requirements:
- Organisations do not need to complete an onsite audit but must complete a Self-Assessment Questionnaire (SAQ). As with Level 3 and 2, there are nine different types of SAQs, depending on how the organisation processes payment cards and handles cardholder information.
- An approved vendor must carry out a quarterly network scan of organisations’ computer systems and inform them of potential security issues.
- Organisations must submit an Attestation of Compliance (AOC) form stating compliance. Merchants and service providers complete specific forms.
PCI DSS requirements explained
To achieve PCI DSS certification, organisations need to show in their assessments that they comply with 12 high-level requirements that are organised into six different control objectives and further subdivided.
Every PCI DSS version has divided the control objectives into sub-requirements differently, but the 12 main requirements have remained the same throughout.
Control objectives | Requirements |
1. Build and maintain a secure network and systems | 1. Install and maintain network security controls 2. Apply secure configurations to all system components |
2. Protect account data | 3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission over open, public networks |
3. Maintain a vulnerability management program | 5. Protect all systems and networks from malicious software 6.Develop and maintain secure systems and software |
4. Implement strong access control measures | 7.Restrict access to system components and cardholder data by business need to know 8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data |
5. Regularly monitor and test networks | 10. Log and monitor all access to system components and cardholder data 11.Test the security of systems and networks regularly |
6. Maintain an information security policy | 12. Support information security with organisational policies and programs |
Each of the 12 requirements includes the following content:
- Requirement description. Sets out the requirement.
- Defined approach and testing procedures. Details the traditional approach to implementing the standard.
- Customised approach objective. Sets out the intended objective for the requirement, which organisations using a customised approach must meet.
- Applicability notes. Apply to defined and customised approaches and includes information affecting how the requirement is interpreted. The notes indicate the new PCI DSS v4.0 requirements that transition from best practices to formal requirements on 31 March 2025.
- Guidance. Provides details on how to meet the requirement.
Why should your business comply with PCI DSS?
While complying with PCI DSS regulations can seem like unnecessary work, it is essential to protect your business, employees and customers.
According to UK government data updated in July 2022, 39% of businesses suffered cybersecurity breaches or attacks in the last 12 months and one in five lost data, money, data or other assets.
Unauthorised financial fraud losses from payment cards totalled £272.3 million in the first half of 2022 alone, according to a fraud report from the trade association UK Finance. Data breaches can damage your business’ reputation with consumers and a lack of trust can threaten its continued success.
There are important benefits to ensuring your business maintains PCI DSS certification, for example:
- Secured customer and business data
- Increased customer trust
- Reduced costs from fines, lawsuits, compensation and audits
- A strong foundation for business security programmes
Some of the basic PCI DSS requirements overlap with General Data Protection Regulation (GDPR) and other data security regulations, so by complying your business will have the systems in place to also meet those requirements.
What happens if your business fails PCI DSS compliance?
PCI DSS compliance is not required by law, but the card associations in the Security Standards Council can fine banks for data breaches. If your business does not comply with the standards the bank could pass on the fine or close your account.
There are other potential consequences for failing to comply, especially if your business experiences a data breach. These consequences include:
- Suspension of ability to accept card payments
- Compulsory forensic examination, which can be time-consuming and expensive
- Liability for fraud charges if customer data is stolen
- Card issuers may pass on card replacement costs
- Requirements to inform customers of a security breach and provide credit monitoring services
- Heavy fines under GDPR if a breach of personal information is not reported within 72 hours
While the UK’s Information Commissioner’s Office (ICO) states that PCI DSS compliance is not necessarily equivalent to compliance with GDPR, should an organisation that processes card data suffers a data breach it will consider the extent to which the organisation complies with PCI DSS requirements when deciding what action to take.
Get help with PCI DSS compliance
If your business takes card payments, then the payment processing provider you use must offer robust payment security. Merchant Savvy can help you find a payment processor that will ensure your business complies with the latest PCI DSS guidelines. Contact us today to discuss your needs.
How does this PCI DSS to PSD2?
As a greater proportion of transactions occur online each year the original PCI-DSS regulations outlined in 2006 were updated. In September 2019 the Payment Services Directive 2 (PSD2) was introduced to increase payment security in digital transactions and ensure greater consumer protection.
PSD2 is a payment security standard that primarily applies primarily to payments made in EU/EEA currencies.
Compare Payment Processor Fees
Compare preferential rates and card processing offers from the UK’s leading merchant account providers
You’ll only deal with our in-house payment experts
Your details will not be shared