What is PCI DSS Level 1 Compliance?

Payment Card Industry Data Security Standard, also known as PCI DSS, is the set of requirements established by an independent council that ensures when credit card data is processed, stored, or transmitted, it will stay in a secure environment. The PCI Security Standards Council (SSC) was launched in 2004 as the result of a collaboration between American Express, Discover, JCB, Mastercard, and Visa. There are four levels of PCI DSS compliance.

What is PCI DSS Level 1 compliance? Level 1 is the highest level of PCI standards for merchants that process more than six million card transactions annually across all channels, and for merchants that have suffered a data breach in the past.

The PCI SSC says that though it “is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing self-assessments and when to engage a QSA (qualified security assessor).”

A merchant can prove compliance through:

• The creation of an annual report on compliance (ROC) by a QSA, or a PCI self-assessment questionnaire (SAQ)
• By completing the appropriate Attestation of Compliance (AOC), and 
• Through the submission of the SAQ, ROC, AOC, and any other documentation that has been requested by a payment brand. 

In the event the payment brand is not satisfied by the documentation submitted, the SSC says the merchant can “perform remediation to address requirements that are not in place and provide an updated report.”

As the Council explains, merchant-based vulnerabilities can appear in a number of places within the credit card processing ecosystem including point-of-sale and mobile devices, on personal computers or servers, via wireless hotspots and remote access connections, in software applications, and more. However, vulnerabilities can also occur with companies, vendors, and partners of financial institutions. The reason for PCI DSS compliance is to “alleviate these vulnerabilities and protect cardholder data.”

Merchants that fall into Level 2 (processing between one and six million transactions annually), Level 3 (processing 20,000 to a million transactions annually), and Level 4 (processing less than 20,000 transactions annually) can upgrade to PCI DSS Level 1 Compliance if they choose to do so. Being Level 1 compliant can make you appear more trustworthy to customers, and can help businesses when they are negotiating with banks because it tells them your company takes personal data and credit card security seriously.

PCI DSS Requirements

According to SSC, to be compliant a merchant needs to do the following:

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

• Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• Requirement 6: Develop and maintain secure systems and applications

• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Identify and authenticate access to system components
• Requirement 9: Restrict physical access to cardholder data

• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

• Requirement 12: Maintain a policy that addresses information security for all personnel

Click here to learn more about the PCI Security Standards.

Penalties for Non-Compliance

Keep in mind that the PCI DSS is a set of security standards, it is not a law. However, that doesn’t mean that failure to comply is not without its ramifications. Non-compliance is enforced through contracts between merchants, payment brands, and acquiring banks. What this means is that each payment brand (Discover, Visa, American Express, and MasterCard) can choose to penalize the acquiring banks for non-compliance with a fine, and these banks can withdraw the ability to accept card payments from the merchants that are non-compliant.

Want to know if your business is compliant with Payment Card Industry Data Security Standards? Reach out to us for expert guidance on a PCI self assessment or support with your ongoing cybersecurity compliance.