PCI Compliance Level 4 is the lowest compliance level under the Payment Card Industry Data Security Standard (PCI DSS). PCI Level 4 applies to merchants who process fewer than 20,000 Visa or Mastercard e-commerce transactions per year or a total of up to 1 million Visa or Mastercard credit card transactions and are not subject to a data breach or hack that compromises card or cardholder data.
Discover, American Express or JCB neither have a PCI Level 4 designation. Instead, Discover and American Express stop at PCI Level 3; JCB, on the other hand, has only two trader levels.
Vendors that qualify as PCI Level 4 must achieve PCI DSS compliance by meeting the purchasing bank’s requirements. Typically, what they should do is as follows:
- Complete a Self-Assessment Questionnaire (SAQ)
- Have a Approved Scanning Vendor (ASV) perform a quarterly network scan
Unlike higher-level merchants, PCI Level 4 merchants do not need to have an on-site audit by a Qualified Security Auditor (QSA) or a Register of Compliance (AOC) and generally complete a Statement of Compliance (SAQ).
There is no PCI Level 4 required for service providers to be PCI compliant. Service providers perform payment, internet, or other services for merchants or banks, including the processing, storage, or transmission of credit card data.
What is PCI SAQ and Compliance Process for PCI Level 4 Merchants?
For an example of the process, here is a brief overview of what a PCI Level 4 Merchant must do in the SAQ process to become PCI Compliant.
- Set your Authentication Type as defined by PCI DSS. First, you need to determine which Self-Assessment Questionnaire (SAQ) is appropriate for your business. SAQ is a validation tool for vendors and service providers who are not required to undergo an on-site data security assessment per PCI DSS Security Assessment Procedures.
- The purpose of the SAQ is to help organizations self-assess their compliance with PCI DSS, and you may need to share this with your acquiring bank.
- Next, complete the Self-Assessment Questionnaire according to the Self-Assessment Questionnaire Instructions and Guidelines instructions.
- Scan your systems for vulnerability with a PCI SSC Certified Scan Vendor (ASV). You can find the list of ASVs on the PCI SSC site. Please note that scanning is not available for all vendors. Scanning is required for SAQ Verification Types 4 and 5 because it contains vendors with such external IP addresses.
- If you store cardholder information electronically or your processing systems have any internet connection, you should have a quarterly scan by an approved scan vendor.
- Thoroughly complete the Declaration of Conformity included in the SAQ form and send the SAQ along with proof of a passing scan (if applicable) and any other documents requested at the Confirmation of Conformity to your recipient.
All merchants, small or large, must be PCI compliant. In addition, payment brands have collectively adopted PCI DSS as a requirement for entities that process, store or transmit payment cardholder data.
As detailed above, filling out the SAQ is relatively simple. The most critical challenges lie in implementing all necessary controls and selecting the appropriate SAQ. Some companies may also have difficulties mapping controls between additional compliance frameworks they implement simultaneously. PCI DSS is flexible as companies can use compensating controls in some cases, but other compliance frameworks may be less flexible.
Beyond the initial application of these controls, companies may face other challenges involving long-term maintenance. For example, an SAQ and other documents must be submitted by the merchant annually, but a PCI SSC audit can occur at any time. Therefore, PCI compliance should be supported by the merchant throughout the year.
What is PCI DSS?
PCI DSS was developed by the PCI Security Standards Council (PCI SSC) in 2004 to protect credit card and cardholder data from breaches and other types of violations. PCI DSS includes companies representing financial institutions, merchants, processor companies, software developers, and point-of-sale vendors.
Merchants and payment or internet service providers must be PCI compliant to process, store or transmit credit card data. Otherwise, they face strict penalties, including fines and possible loss of credit card privileges.
Except for PCI Level 1, all levels must complete a self-assessment questionnaire (SAQ) and perform a quarterly external vulnerability scan using an Approved Scan Vendor (ASV). In addition, data security assessments are required for PCI Level 1 merchants.
Merchants categorized as PCI Level 1, PCI Level 2, or PCI Level 3 must directly report their PCI compliance status to their acquiring bank. Likewise, PCI Level 4 traders should check with their acquiring bank to see if they need to verify their PCI compliance.
PCI DSS compliance requires PCI Level 1 merchants to submit an Annual Compliance Report (ROC) signed by a company official or a Qualified Security Assessor (QSA), also known as a PCI Level 1 on-site assessment. In addition, a quarterly network scan by the Approved Scan Vendor (ASV) and the Attestation of Compliance form are also required.
The submission of an Annual Self-Assessment Survey (SAQ), a quarterly network scan by an ASV, and an Attestation of Compliance form are typical compliance requirements for PCI Level 2, PCI Level 3, and PCI Level 4 merchants. PCI Level 4 merchants, on the other hand, may not be subject to all of these requirements.