Understanding PCI Levels & How They Affect Your Business’s PCI Compliance Requirements
If you want to accept credit and debit cards in your business, one issue you’ll inevitably have to deal with is PCI compliance. Briefly, this is a set of standards you’ll have to comply with to protect your customers’ card information from being compromised or stolen. You wouldn’t like it if a hacker got a hold of your credit card information, and neither will your customers.
Fortunately, your processor should usually take care of most of the work required to ensure that you’re PCI compliant. However, there are a few requirements that you’ll have to meet yourself, and you’ll also want to have a good understanding of how the overall PCI compliance system works.
One of the most basic steps involved in ensuring PCI compliance is determining your merchant risk level. There are four possible risk levels, depending on the size of your business and how many credit card transactions you accept every year. This article will explain the four PCI merchant risk levels and show you how to figure out which one applies to your business. Don’t worry — it’s really very easy! We’ll also review the various requirements that apply to each of these levels.
Table of Contents
How Do PCI Merchant Levels Work?
PCI Level 4 | PCI Level 3 | PCI Level 2 | PCI Level 1 | |
---|---|---|---|---|
Annual Transaction Volume (eCommerce) | Less than 20,000 | 20,000-1,000,000 | N/A | N/A |
Annual Transaction Volume (All Sales Channels) | Up to 1,000,000 | N/A | 1,000,000-6,000,000 | More than 6,000,000 |
The term “PCI compliance” refers to the process of complying with the requirements of the Payment Card Industry Data Security Standard (PCI DSS). This standard is established by the Payment Card Industry Security Standards Council (PCI SSC), an association formed in 2004 by Mastercard, Visa, American Express, Discover, and JCB to establish a common security standard for the payment processing industry. The PCI SSC has expanded over the years to include most of the major acquiring banks and processors in the industry.
It’s important to understand that PCI compliance requirements are not an example of government regulation making life more difficult for small business owners. While the Federal Trade Commission (FTC) does get involved in cybersecurity as it relates to commerce, PCI compliance requirements and enforcement are entirely a product of private enterprise policing itself — and looking out for its own best interests. Data breaches and credit card fraud cost the industry a tremendous amount of money each year, and it’s only natural to take every possible step for protection.
If you’re a small business owner, don’t fall into the trap of thinking that you’re too small a target for hackers and fraudsters to be interested in. While a large business can suffer a massive data breach and absorb the economic damage that ensues, a smaller business can be wiped out by a significant breach. The requirements for a small business to maintain PCI compliance are simple enough that there’s really no excuse for not meeting them. Most of the heavy lifting involved in keeping your business compliant is handled by your processor anyway, leaving you free to concentrate on managing the day-to-day details of running your business.
As the threats to your customers’ card data have evolved over the years, PCI compliance standards have been revised and updated to ensure that your data is protected. As of May 2021, the current standard is PCI DSS 3.2.1. Note that a new, revised version (called PCI DSS 4.0) has been in development for several years. Due to the COVID-19 pandemic, its release has been delayed and not expected to happen until at least Q4 of 2021. For more details on how the PCI compliance system works, check out our guide on PCI DSS compliance levels and standards and what role payment processors play in it.
What PCI Compliance Levels Mean For Your Business
The PCI SSC has established four separate levels of PCI compliance, called the PCI Merchant Risk Level System. These PCI levels are based on the total number of credit card transactions your business processes annually. Your risk for a data breach goes up as you process more transactions, requiring additional steps to maintain PCI compliance. You’ll also need to distinguish between your retail and eCommerce transactions in determining your risk level, as the latter are significantly more vulnerable to fraud and data breaches.
Knowing which one of the PCI compliance levels you fall under is critically important because your processor will require different documentation and procedures for each one. Most merchants don’t even understand what these levels are, so before you can send in the correct documentation, you have to know what each level means and which one applies to you. Fortunately, determining which risk level your business falls under is very easy and straightforward.
Note that each major credit card association (Visa, Mastercard, American Express, etc.) publishes its own criteria for PCI merchant risk levels. However, these criteria are essentially identical regardless of the particular card brand. For this reason, you’ll want to look at your total number of credit card transactions across all card brands in determining which risk level your business falls under.
Breaking Down PCI Compliance Levels
Below, we’ll discuss the criteria and compliance requirements for all four merchant risk levels. We’ll start with merchant level 4 and work our way up, as level four has the least stringent requirements and applies to the smallest businesses.
PCI Level 4
If your business processes fewer than 20,000 eCommerce transactions annually or up to 1 million transactions across all sales channels, you’ll be in Merchant Level 4. This is the most common merchant level, and most small businesses fall under it. Note that if your business is eCommerce-only or has a significant number of online transactions in addition to traditional retail sales, you might easily find yourself at a higher merchant risk level. You’ll want to coordinate closely with your processor to ensure you’re both in agreement on which merchant level applies to your business.
Merchant Level 4 compliance requirements include:
- Complete and file an annual Self-Assessment Questionnaire (SAQ) issued by the PCI Security Standards Council (PCI SSC). This can often be completed online on your processor’s website.
- Complete and obtain evidence of passing a vulnerability scan with a PCI SSC-approved scanning vendor. Your merchant account provider should accomplish this step for you. Note that this requirement does not apply to all merchant types.
- Complete and file the appropriate Attestation of Compliance in its entirety. This is located within the SAQ.
That’s it! As long as you keep your SAQ updated every year and your provider accomplishes the required security scans, you should have no problem maintaining PCI compliance. You can assure your customers that it’s safe to entrust you with their credit card information, and your risk of sustaining a data breach will be minimized.
For more information on Merchant Level 4 compliance requirements, please see our article, The Quick Guide To PCI Compliance For Small Businesses: What You Need To Know & How To Become Compliant.
PCI Level 3
If your business processes between 20,000 and 1 million eCommerce credit/debit card transactions per year, you’ll be in the Level 3 category for PCI compliance. This is basically a separate category for larger eCommerce businesses. Retail-only businesses will be in Levels 1, 2, or 4, depending on their annual card transaction volume.
Compliance requirements for Level 3 merchants include:
- Complete and file an annual Self-Assessment Questionnaire (SAQ) issued by the PCI Security Standards Council (PCI SSC).
- Complete and obtain evidence of passing a quarterly vulnerability scan with a PCI SSC-approved scanning vendor. This requirement applies to all merchant types.
- Complete and file the appropriate Attestation of Compliance in its entirety. This is located within the SAQ.
As you can see, the only additional requirement for Level 3 merchants is that the vulnerability scans must be accomplished quarterly rather than annually.
PCI Level 2
Merchants processing between 1 million and 6 million credit/debit card transactions per year will fall under the Level 2 PCI compliance requirements. This includes transactions from both retail (including mail order/telephone order) and eCommerce sales channels. Compliance requirements are essentially the same as for Level 3 and include:
- Complete and file an annual Self-Assessment Questionnaire (SAQ) issued by the PCI Security Standards Council (PCI SSC).
- Complete and obtain evidence of passing a quarterly vulnerability scan with a PCI SSC-approved scanning vendor.
- Complete and file the appropriate Attestation of Compliance in its entirety.
PCI Level 1
Level 1 is the highest level of PCI compliance and applies to merchants who process over 6 million credit/debit transactions per year across all sales channels. Global merchants can also be identified as Level 1 by the Security Standards Council, even if their US transactions are less than 6 million per year. It’s also very important to note that any merchant who has suffered an actual data breach that resulted in data compromise can be placed in Level 1 by the SSC.
If you’re in Level 1, you’ll have to meet the following requirements to maintain PCI compliance:
- Complete and file an annual Report on Compliance (ROC) issued by the PCI Security Standards Council (PCI SSC). This requirement must be accomplished by a Qualified Security Assessor (QSA) or an internal auditor if an officer of the company signs the ROC. Completing the ROC requires on-site inspections and is much more time-consuming (and expensive) than merely filling out an online questionnaire.
- Complete and obtain evidence of passing a quarterly vulnerability scan with a PCI SSC-approved scanning vendor.
- Complete and file the appropriate Attestation of Compliance in its entirety.
Most large businesses that fall into Level 1 will have adequate resources to meet these requirements. However, smaller businesses placed in Level 1 following a data breach may find it very challenging to meet the additional compliance requirements. This is yet another reason to take PCI compliance seriously and avoid being placed in the Level 1 “penalty box.”
Additional Concerns For Maintaining PCI Compliance
If you’ve read this far, you might think that being PCI compliant is merely a matter of filling out the Self-Assessment Questionnaire (SAQ) once a year and that your processor will take care of the rest. Naturally, it’s not that simple. PCI compliance also requires that your processing hardware and software (such as your payment gateway) are compliant as well. If you’re getting all of your software and hardware from the same provider, you shouldn’t have to worry about PCI compliance issues because these products and services are designed to work together seamlessly and comply with all PCI DSS requirements. However, if you’re cobbling together your own solution that includes equipment and software from multiple vendors, you’ll want to confirm that everything works together and doesn’t leave any gaps in your security that could cause you to be non-compliant.
PCI compliance is inevitably a little more challenging for eCommerce merchants because all your transactions will be card-not-present and, therefore, a little riskier. However, with payment processing increasingly moving to integrated, cloud-based solutions, even retail-only merchants will have to confirm that their processing solution is PCI compliant. Cloud-based processing platforms use a payment gateway to transfer your customers’ card data to your provider’s payment processing system, and you’ll have the same PCI compliance concerns as an online-only business.
No discussion of PCI compliance would be complete without mentioning PCI compliance fees, which are fees charged by your provider for services that help you meet PCI compliance requirements. These services usually include quarterly security scans and (sometimes) data breach insurance. Some providers don’t charge a discreet PCI compliance fee but include the cost in your monthly or annual account fee. Others will charge you a small monthly fee for PCI compliance services in addition to your monthly account fee. Unfortunately, the most common practice in the processing industry is to charge a single annual fee (typically around $99) for PCI compliance. The problem with this approach is that most providers won’t refund a prorated portion of this fee if you close your account after they’ve collected your compliance fee for the year.
You should also be aware of PCI non-compliance fees. You’ll only pay these fees if your account is determined to no longer be PCI compliant by your provider. PCI non-compliance fees act as penalties for not maintaining compliance and usually run around $30 per month for every month that your account is out of compliance. This usually happens when your Self-Assessment Questionnaire (SAQ) expires, and you fail to submit a new one. Unfortunately, non-compliance fees are an easy source of revenue for unscrupulous providers that will gladly charge you both a PCI compliance fee and a non-compliance fee until you realize your mistake and correct the situation.
We don’t like PCI non-compliance fees because they penalize you without providing any help to rectify the situation. In many cases, finding a non-compliance fee on your monthly account statement will be your first — and only — clue that you’ve become non-compliant. Note that there are some good providers out there that will give you notice of your non-compliant status and a grace period of up to 90 days to correct the situation before they start charging you a non-compliance fee. Our best advice is to avoid this situation entirely by staying on top of your PCI compliance requirements and submitting your annual SAQs on time.
The Bottom Line On PCI Levels & PCI Compliance
Although PCI compliance is complicated by the fact that all of the major credit card brands publish their own requirements and standards, the adoption of common standards set forth by the PCI SSC means that complying with one brand’s rules will also keep you compliant with the requirements of every other brand.
Don’t be afraid to lean heavily on your merchant account provider for help when it comes to PCI compliance. After all, you’re paying for their services in this area, so you’ll want to take full advantage of them. Different providers offer different services to keep your account compliant and to protect against a breach, so be sure to check out which features your provider is offering you.
Lastly, we can’t emphasize enough the importance of avoiding an actual data breach. For smaller merchants, the additional costs of suffering a breach and being placed in the Level 1 compliance category could be a serious threat to the health of your business.
We’d also like to remind you that some providers offer a more robust set of features designed to safeguard your account and keep you in compliance than others. Choosing a good provider is critically important, not just for PCI compliance but also for protecting your business from chargebacks and other problems. For tips on how to fight chargebacks, check out our article, The Small Business Owner’s Guide To Preventing Chargebacks (& 12 Tips For Fighting Chargebacks).
For a side-by-side comparison of some of our favorite providers, check out our Merchant Account Comparison Chart.