A Guide to the 4 Levels of PCI Compliance

Learn about the PCI DSS standard, the four levels of PCI compliance, and how Skyflow eases compliance with PCI DSS and other data privacy standards and laws.

The Payment Card Industry Data Security Standard (PCI DSS) is a baseline security standard for merchants processing credit card transactions. To work with major credit card brands, a merchant must follow these standards to maintain PCI compliance. Failure to maintain PCI compliance puts a merchant’s sensitive customer data at risk, and it also puts the merchant themselves at risk — of a damaged reputation and costly liability and chargebacks.

In addition to following the PCI DSS, merchants must assess their compliance. The PCI DSS outlines four levels of PCI compliance based on the merchant’s annual transaction volume. Merchants must determine which level of compliance is applicable and run assessments, audits, and reporting.

In this post, we’ll look at the various levels of PCI compliance and the most significant components of PCI compliance reporting. We’ll also look at how Skyflow eases PCI compliance by isolating, protecting, and governing PCI data. 

What Are PCI Compliance Levels — and Why Do They Matter?

A merchant’s PCI compliance level dictates how thoroughly the merchant needs to assess and report their PCI DSS practices — and whether the merchant needs to present those reports to their acquiring bank. A merchant’s acquiring bank, sometimes called a sponsor bank, is a bank that has a license with the payment networks to authorize and settle merchant transactions. Ultimately, the acquiring bank is also in charge of ensuring that its merchants are compliant with the PCI standard.  Some banks will offload this responsibility to the merchant’s payment service provider.  

The Major Components of PCI Compliance Reporting

There are multiple documents, records, and audits that a merchant might need to complete to achieve PCI compliance. They are highly situational, but all merchants should be aware of the potential need for additional documentation and records, as well as audits that they might need to complete as they scale. 

Self-Assessment Questionnaires

The PCI SSC provides nine self-assessment questionnaires. The right questionnaire for a given merchant depends on factors such as how the merchant processes transactions or which network they are using. For example, the SAQ A is for merchants that outsource all of their payment processing and transaction information, while the SAQ A-EP is for merchants that partially outsource their e-commerce payment channel to third parties validated by PCI DSS.

Reports of Compliance

A Report of Compliance (ROC) is submitted to the acquiring bank to document the merchant’s adherence to PCI DSS standards. A ROC may be completed internally by the merchant or externally by a third-party qualified security assessor (QSA), depending on the merchant’s level of PCI compliance.

Attestations of Compliance

An Attestation of Compliance (AOC) is a report submitted by a third-party QSA verifying that the merchant meets the applicable compliance requirements. If a merchant is required to file a SAQ, the AOC will attest to the validity of the SAQ; if a merchant is required to file a ROC, the AOC will attest to the validity of the ROC.

Quarterly Network Scans

Quarterly network scans should be performed across the merchant’s network by approved scanning vendors (or ASVs). A network scan is intended to identify any weaknesses within the merchant’s network that could ultimately be detrimental to their management of cardholder information — such as unpatched software or open ports.

Penetration Testing

Annual penetration testing puts a merchant’s network through rigorous stress tests. During a penetration test, security professionals attempt to hack the merchant and gain access to sensitive information. A penetration test can reveal security issues that would otherwise fly under the radar.

As noted, the requirements above are separate from the actual elements of PCI DSS compliance. PCI DSS compliance encompasses a total of 12 requirements that an organization must follow. The methods described above are used to verify adherence to those controls.

Levels of PCI Compliance

A merchant’s PCI compliance level is ranked from 1 to 4, with Level 1 merchants processing the highest transaction volume and Level 4 merchants processing the lowest transaction volume. A merchant’s compliance level is assessed annually.

Here’s a summary of the requirements for merchants at various PCI compliance levels:

Level 4: Fewer Than 20,000 Card Transactions

Level 4 encompasses smaller merchants — and merchants just getting started. A level 4 merchant doesn’t need to submit anything to the acquiring bank to maintain PCI compliance. Still, it’s considered a best practice for merchants to still complete a SAQ as it helps them to validate their security and controls. Level 4 merchants should also conduct quarterly network scans — but reporting isn’t required.

Level 3: 20,000 to One Million Card Transactions

At Level 3, a merchant completes anywhere from 20,000 to one million card transactions per year. A level 3 vendor must complete a SAQ, submit an AOC, and complete a quarterly network scan to maintain compliance. Level 3 vendors also have the option of submitting a ROC, but they don’t need to. Submitting a ROC can improve trust with customers and financial institutions, as can completing an annual penetration test.

Level 2: One Million to Six Million Card Transactions

At Level 2, a merchant processes one to six-million card transactions a year. A Level 2 merchant is required to submit a SAQ and an AOC. Level 3 merchants must also complete a quarterly network scan and annual penetration test. As with a Level 3 merchant, submitting a ROC is optional at this level.

Level 1: Over Six Million Card Transactions

A Level 1 merchant is one of the busiest merchants in the world. Every year, a Level 1 merchant completes over six million card transactions. Level 1 merchants must complete an audit by a QSA to file an ROC, and also complete an AOC, quarterly network scans, and annual penetration tests.

If a merchant experiences a data breach and isn’t PCI compliant, that merchant could face significant fines.

Ease PCI Compliance with Skyflow

As your transaction volume increases, so do your PCI reporting requirements. Skyflow Data Privacy Vault eases PCI compliance by isolating, protecting, and governing PCI data in a vault that’s designed for the express purpose of protecting sensitive data without sacrificing data use. 

When working with a QSA to obtain your PCI Merchant Compliance Status, using Skyflow to remove all card data from your systems and business processes and replace that card data with tokens reduces your compliance scope by more than 90%. This makes Skyflow an effective way to accelerate your compliance timeline.

As your company grows and your PCI compliance requirements increase, you can continue using Skyflow to protect PCI data while gaining the flexibility to orchestrate payments across vendors. With payment orchestration, you can expand profitably into new markets and recover from payment vendor outages.

Skyflow eases all aspects of PCI compliance, including security audits like network scans and penetration tests. 

With Skyflow, you can fast-track your PCI compliance with capabilities like the following:

• Reduction of PCI Compliance Scope: By isolating PCI data in Skyflow and keeping it out of your other systems with our flexible approach to tokenization, you reduce the cost and complexity of achieving and maintaining PCI compliance.
• Simplified Audit Logging. With Skyflow, you can conduct security audits with ease because sensitive PCI data is stored in Skyflow, not scattered across other infrastructure and systems in a state known as “data sprawl”. 
• Advanced Data Governance. Use Skyflow’s fine-grained access controls and other data governance capabilities to control who can access sensitive data, and for which purposes. 
• Data Residency. You can use Skyflow’s data residency solution to keep your customers’ sensitive data close to those customers without adding a new instance of your infrastructure in each region. To learn more about this scenario, read about why Apaya works with Skyflow to deliver both PCI payment orchestration and data residency to their customers.
• Turnkey PCI Level 2-4 Compliance. Skyflow will guide you through completing the appropriate PCI questionnaire required for an Attestation of Compliance, and help you to conduct quarterly network scans as needed.

Give Skyflow a Try

Equipped with privacy-preserving features such as encryption, tokenization, masking, and fine-grained data governance, Skyflow empowers startups and enterprises alike to meet privacy requirements and achieve compliance with a simple yet powerful API.

And, Skyflow doesn’t just provide comprehensive solutions for PCI data. It supports the secure storage of and use of all types of sensitive data, including healthcare data governed by laws like HIPAA and PII governed by laws like CPRA. Skyflow also eases compliance with data residency requirements.