What Do PCI Merchant Levels Mean for Your Small Business?
As the digital payments industry keeps expanding, brick-and-mortar stores and eCommerce retailers handle countless customer transactions daily. Unfortunately, card fraud and data breaches impact many purchases and data transfers.
Per the latest data, debit card, EFT, and ACH fraud grew by 8% in 2021. Although credit card fraud declined by 1% from 2020, it still remains a concern. However, data breaches went through the roof, rising 68% compared to 2020.
To decrease fraud risks, merchants must meet PCI compliance requirements. In this article, we’ll help you learn how different PCI merchant levels can change a business’ reporting needs.
What Is PCI DSS Compliance?
Today’s increasingly digital world means that business and consumer transactions mostly take place online. In turn, this trend has led to more reported credit card and debit card fraud incidents.
Some of these card fraud crimes occur during onsite purchases while others take place during eCommerce transactions (or card-not-present sales). These card transactions typically involve a card issued by major credit card brands like Visa, Mastercard, American Express, or Discover. Visa transactions are frequently at risk.
Other cybersecurity incidents can impact service providers that otherwise handle cardholder data. A data breach (or data compromise) means a customer’s card information and/or bank account data has been illegally obtained.
Payment card-related data breaches seem to affect several big retailers every year. Neiman Marcus, Saks Fifth Avenue/Lord & Taylor, Home Depot, and Target are some of the most high-profile companies to be affected.
The PCI DSS solution
In 2006, five credit card companies banded together to form the Payment Card Industry Security Standards Council (PCI SSC). Visa, Mastercard, American Express, and Discover (along with JCB) were the original PCI Security Standards Council participants.
Over the years, more than one major acquiring bank (or acquirer) and payment processing company has joined the PCI SSC. Today, many bank-issued prepaid cards must meet PCI compliance criteria.
The Council aimed to design and administer security standards for businesses tasked with credit card data handling activities. This organization provides the infrastructure and support resources to help card-handling organizations ensure cardholder data security.
Before the PCI SSC was formed, the five card companies each had a dedicated security standards protocol. Through the Council, the companies established a standard policy called the Payment Card Industry Data Security Standard (or PCI DSS).
What the PCI DSS covers
The PCI DSS covers all entities that transmit, store, or process cardholder information and/or sensitive authentication details via payment cards. The standards change to reflect evolving threats.
In their simplest form, PCI DSS requirements include three primary components:
- Secure handling and processing of customers’ credit card data
- Data storage using the 12 recommended PCI DSS data security practices
- Annual validation of required security controls (includes vulnerability scanning)
The term “PCI DSS compliance” means that the card-handling business meets the PCI DSS requirements. Merchants are accountable for consistently maintaining a secure business setting.
If a data breach occurs, merchants are held responsible for business policies and employee actions that cause the data compromise. Sometimes, it will be determined that the business was not PCI-compliant when the breach occurred. In this case, non-compliance will result in substantial fines along with a damaged reputation and lost customers.
Small business PCI DSS compliance
During small business merchant processing operations, it’s easy to think a small startup won’t attract attention from card fraudsters. However, a cash-strapped small business is actually most at risk. These fledgling companies often don’t have the resources to withstand a large data breach.
Fortunately, the business’ payment processor (such as Payment Depot) will handle most compliance requirements. In addition, the small business must complete some relatively simple compliance reporting tasks.
How Do PCI Merchant Levels Work?
The PCI Data Security Standard has defined four merchant levels based on a business’s annual transaction volume. Each level is considered to have a certain card fraud and data breach risk and need for information security. As the merchant handles more transactions, their data breach risk also rises.
Each merchant must also separate their onsite and eCommerce transactions. A card-not-present eCommerce transaction carries a considerably higher risk of data breach and/or card fraud.
Overall, each merchant should be clear on their PCI compliance level. Their payment processor will require a different set of documentation for each level. Stated another way, each merchant level must complete certain assessment tasks and meet security validation requirements. Then, they will pass their merchant level’s PCI DSS compliance assessment.
The PCI Data Security Standard also provides numerous merchant resources. These include tips for data loss and online fraud prevention plus instructions to follow if a data breach occurs.
What Are the PCI Merchant Levels?
Each major card brand (or payment brand) has designed its own PCI DSS compliance protocols. Visa, Mastercard, American Express, Discover, and JCB have also determined the four accountable merchant levels.
These merchant levels are based on the number of transactions the merchant processes annually. Businesses at each merchant level are expected to meet the PCI compliance requirements pertaining to that level.
The four merchant level categories
Each merchant level determines its targeted PCI compliance criteria. Besides the merchant’s annual transaction volume, other criteria can factor into a business’s merchant level. Businesses that recently experienced a cyberattack would likely be elevated to a higher level. Merchants subject to an unusually high information security risk might also be moved to a higher level.
- Level 1: Merchants with over 6 million annual card transactions
- Level 2: Merchants with 1 to 6 million annual card transactions
- Level 3: Merchants with 20,000 to 1 million annual card transactions
- Level 4: Merchants with less than 20,000 annual card transactions
Merchant level determination guidelines
Level 1-3 businesses will likely have more complicated PCI compliance requirements. This is mostly due to their business type and size. However, these companies may have internal compliance teams, and perhaps, a firewall to handle their risk and compliance responsibilities.
Small- and medium-sized merchants often fall into the Level 4 classification. Their PCI compliance requirements are often simpler and less stringent.
Why Are Merchant Levels Important for Businesses?
The payment card industry classifies businesses into different merchant levels based on transaction volumes. At each PCI merchant level, businesses must complete a certain scope of security assessments and validations. These are levels of PCI compliance.
Depending on the merchant level and risk exposure, the PCI DSS standard may also require detailed penetration testing. The merchant’s payment processor should be able to determine whether this is necessary. When the merchant has successfully completed all assessments, they are deemed to have passed the PCI DSS assessment.
Level 2, 3, and 4 requirements
At Levels 2, 3, and 4, merchants must fill out an annual Self-Assessment Questionnaire (or SAQ). The SAQ types vary based on the business’s merchant level and how it handles payment card information. Each merchant should ensure that they choose the correct SAQ type for their situation.
For example, SAQ A applies to merchants who outsource their retail, eCommerce, and mail/telephone orders to a validated third-party business. In contrast, SAQ D includes merchants who don’t qualify for any other SAQ type.
Besides this self-assessment questionnaire, each business must also allow a quarterly vulnerability scan to be performed. An Approved Scanning Vendor (or ASV) must perform this scan.
Finally, these merchants must also submit an Attestation of Compliance form (or AOC form). Some Level 4 merchants may not be required to perform every exercise.
Level 1 requirements
Instead of the above requirements, Level 1 business owners must agree to an onsite data security assessment. Level 1 merchants must also submit an annual Report on Compliance (or ROC).
An external Qualified Security Assessor (or QSA) or Internal Security Assessor (or ISA) will conduct an assessment that forms the basis for the ROC. Level 1 merchants are also subject to an ASV quarterly network scan. Finally, Level 1 merchants must complete an Attestation of Compliance form.
General reporting requirements
When reporting is complete, Level 1, 2, and 3 merchants must transmit their PCI compliance results to their acquiring bank. Level 4 merchants should ask their acquiring bank whether they must report on compliance with the PCI DSS standard.
Consequences of compliance failure
Merchants who ignore their PCI compliance assessment and reporting requirements are taking a significant risk. If they fail to comply, and a cardholder security incident occurs, the merchant can be hit with large financial penalties. They will also very likely lose customers as a result of their negligence. In extreme cases, penny-pinching merchants can lose their ability to process card transactions.
Each small business owner should ensure that they partner with a merchant services provider (or MSP) who is PCI-certified. Payment Depot possesses this certification, and the company offers PCI-compliant processing at no extra charge.
Payment Depot’s top-notch customer service team members are also glad to assist small business owners with PCI compliance-related issues. To learn more, contact our award-winning support team today.