With less than three months remaining until the deadline for PCI DSS 4.0 compliance, now is the time to assess your business’s status and determine what steps you need to take. The Payment Card Industry Data Security Standard (PCI DSS) sets security requirements to protect cardholder data and reduce the risk of data breaches. The standards apply to all entities storing, processing, or transmitting payment card information.
PCI DSS divides merchants into four levels based on the number of card transactions they process annually, and each level has specific compliance requirements. Understanding which level your business falls under is essential for determining what actions must be taken to meet the upcoming compliance deadline.
Here’s a breakdown of PCI DSS merchant levels and what’s required for each.
Level 1: The Highest Compliance Threshold
Merchants processing over 6 million payment card transactions annually—across all channels (in-store, online, mobile, unattended, or call center)—or any merchant that has experienced a data breach are classified as Level 1.
Compliance Requirements for Level 1 Merchants:
- Annual Onsite Assessment: A Qualified Security Assessor (QSA) must conduct an annual onsite assessment to verify compliance with PCI DSS 4.0. This ensures that all security controls and practices are in place and functioning properly.
- Quarterly Network Scans: Level 1 merchants must complete quarterly network scans by an Approved Scanning Vendor (ASV) to detect vulnerabilities in their network that attackers could exploit. * Note: MainNerve is not an ASV.
- Penetration Testing: Level 1 merchants are also required to conduct penetration testing to simulate cyberattacks and identify potential weaknesses in their systems. An ASV is not required to do this.
- Risk Assessments: Regular risk assessments are essential to ensure that any emerging threats are recognized and mitigated.
- Increased Internal Controls (under PCI DSS 4.0): PCI DSS 4.0 places a greater emphasis on internal controls, meaning Level 1 merchants must have robust, continuously evolving security systems to stay ahead of cyber threats.
Failure to comply with these requirements can lead to serious financial and reputational risks for businesses in this category. Compliance with PCI DSS is not just about avoiding penalties—it’s about protecting sensitive customer data and maintaining trust.
Level 2: For Medium-Sized Merchants
Merchants that process between 1 million and 6 million transactions annually across all channels are classified as Level 2 merchants.
Compliance Requirements for Level 2 Merchants:
- Self-Assessment Questionnaire (SAQ): Level 2 merchants must complete an annual self-assessment questionnaire (SAQ), which is a set of questions designed to help the merchant assess whether they meet the requirements of PCI DSS.
- Quarterly Network Scans: Similar to Level 1 merchants, Level 2 businesses must undergo quarterly network scans by an ASV.
- Penetration Testing: Regular penetration testing is also required to identify and address potential vulnerabilities.
- Ongoing Security Training: Maintaining employee awareness of security practices is crucial for preventing data breaches and ensuring security protocols are followed. Level 2 merchants must implement ongoing employee security training to keep staff up-to-date on the latest threats and mitigation practices.
Level 2 merchants must take steps to ensure their systems and employees stay aligned with PCI DSS 4.0, particularly as the evolving landscape of cyber threats continues to present new challenges.
Level 3: E-Commerce Merchants
Merchants who process 20,000 to 1 million e-commerce transactions annually fall under Level 3.
Compliance Requirements for Level 3 Merchants:
- Annual SAQ: Like Level 2 merchants, Level 3 businesses are required to complete an annual SAQ.
- Quarterly Network Scans: These merchants must also undergo quarterly network scans by an ASV.
- Penetration Testing: Penetration testing is mandatory to test their systems’ integrity and identify vulnerabilities.
- Web Application Firewalls (WAF): Web applications are often targeted by cybercriminals, so Level 3 merchants must pay special attention to implementing and maintaining a web application firewall (WAF) to monitor and protect applications from attacks.
- Vulnerability Monitoring: Regular monitoring of applications for vulnerabilities is necessary to minimize risks associated with web-based attacks.
Due to the specific nature of e-commerce transactions, Level 3 merchants must ensure that their online payment systems are secure and that their websites and applications are resistant to cyber threats.
Level 4: Small Merchants
Merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually across all channels are classified as Level 4.
Compliance Requirements for Level 4 Merchants:
- SAQ Completion: Level 4 merchants typically only need to complete an annual SAQ.
- Quarterly Network Scans (If Required): Depending on transaction volume and perceived risk, some card brands may require quarterly network scans for Level 4 merchants.
- Cost-Effective Security Measures: As many Level 4 merchants are small businesses, it’s recommended they implement cost-effective security solutions, such as tokenization (replacing sensitive data with non-sensitive equivalents) or outsourcing payment processing to third-party providers with strong PCI DSS compliance records.
Though the compliance requirements for Level 4 merchants are less rigorous, they still need to take proactive steps to ensure the robustness of their payment systems and data security practices.
Key Emphasis in PCI DSS 4.0: Continuous Security Practices
One of the major shifts introduced in PCI DSS 4.0 is the emphasis on continuous security practices. This is a critical update, as the traditional approach of meeting compliance once a year and ignoring security for the rest of the time is no longer sufficient.
PCI DSS 4.0 encourages businesses to adopt ongoing security monitoring, regular risk assessments, and continuous employee training regardless of the merchant level. Cyber threats evolve rapidly, and businesses must stay proactive in managing risks and maintaining compliance to protect both customer data and their own business operations.
Prepare Now: The PCI DSS 4.0 Deadline is Fast Approaching
As the PCI DSS 4.0 compliance deadline looms, businesses must act now to ensure they meet the required standards. Whether you are a Level 1, Level 2, Level 3, or Level 4 merchant, the time to start preparing for compliance is now. Don’t wait until the last minute to implement changes, complete assessments, and train staff.
At MainNerve, we understand the complexities of PCI DSS compliance and are here to help guide you through the process. Contact us today to discuss how we can support your business in achieving and maintaining PCI DSS 4.0 compliance before the deadline hits.
By understanding your business’s level and its specific PCI DSS requirements, you’ll be well on your way to ensuring your payment systems are secure, compliant, and resilient against cyber threats. Stay ahead of the curve and protect your customers’ data with the right security measures in place.
