Blog > The Ultimate PCI Compliance Guide | Why it’s Essential + 10 Expert Tips

The Ultimate PCI Compliance Guide | Why it’s Essential + 10 Expert Tips

By |Published On: March 5th, 2021|

While payment security looks a little different for each merchant, it continues to remain a top priority across all industries. To help with this, businesses look to PCI compliance standards for guidance. Although these standards offer a lot of direction to better protect cardholder data, they are not foolproof against all cybersecurity attacks.

To meet evolving compliance standards and better prepare for growing cyber threats, we brought in 10 industry experts to help you build the strongest infrastructure possible.

What is PCI compliance?

PCI (Payment Card Industry) compliance is a fancy way of saying your business is following proper security measures to successfully accept, process, and store credit card payments. PCI compliance is not legally required but is mandatory in certain cases.

The Payment Card Industry Data Security Standard (PCI DSS) defines these security requirements. The PCI Security Standards Council (PCI SSC) — established by Visa, American Express, Discover, Mastercard, and JCB International credit card providers in 2006 — is responsible for upholding these standards, ensuring merchants meet them, and managing data security worldwide.

Check out this video below to learn more about PCI compliance.

PCI compliance: Levels, assessments, and requirements

PCI levels are typically determined by merchants’ annual transactions and business size:

  • Level 1: Merchants who process over six million transactions per year and service providers that process over 300,000 credit card transactions annually. (Typically large businesses.)
  • Level 2: Merchants who process between one and six million transactions per year and service providers who process fewer than 300,000 transactions annually. (Typically mid-to-large-sized businesses.)
  • Level 3: Merchants who process between 20,000 and one million transactions per year. (Typically small-to-mid-sized businesses.)
  • Level 4: Merchants who process fewer than 20,000 transactions per year. (Typically small businesses.)

PCI Levels

PCI validation assessments

A merchant’s PCI compliance level determines its annual and quarterly validation requirements. Depending on your level, here are some of the validation forms you may have to complete:

PCI DSS requirements

The PCI Security Standards Council provides merchants with a general list of security standards to follow to become PCI compliant:

PCI overviewIn addition to these 12 security standards, each compliance level has separate requirements merchants must complete:

Level 1 merchants are required to provide:

  • A Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor
  • Quarterly scans by an Approved Scanning Vendor (ASV)
  • An Attestation of Compliance (AOC) completed by a QSA

Level 2 merchants are required to provide:

  • Self-Assessment Questionnaire (SAQ) completed by the merchant
  • Quarterly scans completed by an Approved Scanning Vendor (ASV)
  • An AOC completed by a QSA
  • Sometimes an additional PCI scan

Level 3 merchants are required to provide:

  • An SAQ completed by the merchant
  • Quarterly scans completed by an ASV
  • An AOC completed by a QSA

Level 4 merchants are required to provide:

  • An SAQ completed by the merchant
  • Quarterly scans completed by an ASV

PCI compliance benefits: A surefire way to limit breaches & save your business

“PCI Compliance is a widely accepted and expected information security standard. It gives your brand much-needed credibility and certifies your ability to handle card data and transactions. To the layman, it gives an assurance that their card details will be handled securely.”

Bram Jansen