If your organization processes, stores, or transmits cardholder data for the major credit card brands, you are required to be compliant with PCI DSS. While PCI DSS is not required by U.S. federal law — it is an industry standard mandated by the credit card companies — but some states have laws that refer to PCI DSS explicitly or contain equivalent mandated standards. Additionally, being found out of compliance can put your company in the crosshairs of the FTC.

The PCI DSS mandates that organizations follow 12 requirements, all categorized into one of six goals. Additionally, there are four PCI DSS merchant levels, which determine the type of validation an organization needs for their PCI DSS compliance. They are primarily determined according to a company’s risk profile and are as follows:

Merchant Level 1 applies to companies that handle more than six million Mastercard or Visa transactions annually. This merchant level also applies to companies that have experienced an attack resulting in compromised card data or that have been deemed a Level 1 by a card association.

Merchant Level 2 applies to companies that handle between one and six million Mastercard or Visa transactions annually.

Merchant Level 3 is for companies that handle between 20,000 and one million e-commerce Mastercard or Visa transactions annually.

Merchant Level 4 companies process (1) fewer than 20,000 Mastercard or Visa e-commerce transactions annually or (2) up to one million Mastercard or Visa transactions annually.

PCI DSS Merchant Level Validation Requirements

Levels 2 and 3 have very similar validation requirements:

* An annual self-assessment using the applicable self-assessment questionnaire (SAQ)
* A quarterly network scan by an approved scanning vendor (ASV)
* An Attestation of Compliance form

Merchant Level 4 validation standards are dictated by the organization’s acquiring bank. Typically, the bank will require, at minimum, an annual SAQ and quarterly scans by an ASV.

Then, there’s Merchant Level 1. Because of the higher level of risk these companies pose, either due to dealing with a very large number of transactions or having previously been breached, they are not allowed to self-assess. In addition to a quarterly scan by an ASV and an Attestation of Compliance form, Merchant Level 1 companies must undergo an annual audit, known as a Level 1 onsite assessment, conducted by a certified PCI DSS Qualified Security Assessor (QSA) such as Lazarus Alliance.

The QSA evaluates the Merchant Level 1 company’s IT policies and procedures, payment applications, and card data network environment, compiling a detailed assessment of vulnerabilities and a list of improvements to prevent breaches. At the end of the audit process, the QSA prepares a Report on Compliance (ROC) to be submitted to the company’s acquiring bank. Before the ROC is submitted, the QSA works with the organization being audited to address any issues that were noted.

What happens if you breach a Merchant Level requirement?

If you breach a PCI DSS Merchant Level requirement, the card associations can punish your company by slotting it into a higher Merchant Level. It’s very important to correctly classify your company and ensure that you are using the correct validation process for your Merchant Level.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.