PCI Level 1 Compliance Explained

Just in the first half of 2023, 219,713 credit card fraud reports have been filed. If you’re a business that sells anything online, you must know how to safeguard sensitive card information to protect your customers from cyber threats and fraud.

Fortunately, the PCI Security Standards Council (PCI SSC) enforced PCI standards that merchants must comply with to protect cardholder data better. As an online merchant, it is critical to understand and comply with PCI standards, as it ensures secure payment for your customers.

PCI Level 1 Compliant
Automated A/R & A/P Software

Independently verified for compliance by a PCI Security Standards Council QSA

Schedule a Demo

What is PCI compliance and PCI level 1?

PCI compliance is a set of 12 requirements outlined by the PCI Security Standards Council that merchants are expected to follow. Major credit card providers have adopted these standards to ensure cardholder information remains secure during every transaction. This includes Visa, Mastercard, American Express, Discover and JCB.

PCI compliance standards require merchants to:

• Maintain a secure network
• Protect customer data
• Test and patch vulnerabilities
• Restrict access
• Regularly test networks
• Document all policies and procedures

PCI level 1 is the highest level of compliance and payment security standards for merchants. It applies to big businesses that process over 6 million credit card transactions per year and merchants and service providers that experienced credit card data breaches. PCI level 1 has stricter requirements, including an external PCI audit.

What does PCI DSS mean?

PCI DSS is an acronym for Payment Card Industry Data Security Standard. It represents the 12 security standards for PCI compliance. The two terms are used interchangeably.

PCI Compliance Requirements

The PCI Security Standards Council has 12 requirements that must be met to comply.

1. Use and maintain firewalls

This is the first step in defending against hackers and preventing unauthorized access.

2. Proper password protections

Passwords for all systems and devices (including routers, point-of-sale systems, and modems) should be kept securely and regularly changed.

3. Protect cardholder data

All card data must be encrypted with encryption keys and should be scanned regularly for any unencrypted data.

4. Encrypt transmitted data

Any cardholder data sent across any channel, like a payment processor, must be encrypted.

5. Use and maintain anti-virus

Anti-virus software must be installed on all devices that touch customer data and should be regularly updated.

6. Properly update software

Third-party software should regularly be updated, including operating systems, firewalls, and anti-virus programs.

7. Restrict data access

Access to customer data should be extremely limited, and employees or third parties with access must be documented.

8. Unique IDs for access

Anyone with access to customer data must have a unique login that only they use.

9. Restrict physical access

All data – physical or digital – must be kept in a secure location.

10. Maintain access logs

Anyone accessing sensitive information must be documented. These logs must be maintained daily.

11. Scan and test for vulnerabilities

Merchants must self-test themselves and actively look for system flaws. These could be hardware, software, or process issues.

12. Document policies

An inventory of all equipment, software, employee access, and procedures should be documented. There are also levels of compliance dependent on the volume of transactions processed annually.

PCI compliance levels

There are four levels of PCI DSS compliance. These levels are based on any merchant’s annual number of transactions, but any breach may push a merchant to a higher level.

PCI DSS level 1

As mentioned above, level 1 is reserved for merchants processing over 6 million transactions annually via e-commerce or for merchants and service providers whose data has been compromised, regardless of how many transactions they process, store, or transmit. It’s the most stringent PCI compliance level. PCI level 1 compliance requirements include:

• A report on Compliance by a Qualified Security Assessor (PCI QSA) or Internal Security Assessor (ISA)
• An annual penetration test to check for potential vulnerabilities
• A PCI Attestation of Compliance (PCI AOC) by a QSA
• Quarterly PCI scans by Approved Scanning Vendors (ASV)

PCI DSS level 2

Level 2 includes merchants that process between 1 and 6 million transactions annually. Compliance requirements include:

• Completion of a Self-Assessment Questionnaire (SAQ), preferably by a certified Internal Security Assessor
• An on-site assessment by a third-party QSA
• A quarterly scan of your network by a third-party ASV
• Complete an Attestation of Compliance form
• A penetration test or internal scan may also be required

PCI DSS level 3

Level 3 includes merchants that process between 20,000 and 1 million transactions annually. Compliance requirements include:

• Completion of an SAQ
• A quarterly scan of your network by a third-party ASV
• Complete an Attestation of Compliance form
• A penetration test or internal scan may also be required

PCI DSS level 4

Level 4 includes merchants that process under 20,000 transactions annually. Compliance requirements include:

• Completion of an SAQ
• A quarterly scan of your network by a third-party ASV
• Complete an Attestation of Compliance form

Levels 2, 3, and 4 all have the same validation requirements – yearly self-assessment using the PCI SSC self-assessment questionnaire, a quarterly network scan by an approved scanning vendor (also available through PCI SSC), and an attestation of compliance form.

For PCI level 1 compliance, the merchant must have yearly compliance assessments by a Qualified Security Assessor (QSA), in addition to the requirements for levels 2, 3, and 4.

The yearly compliance assessment will consist of several steps by the QSA, including examining your point of sale (POS) system, a detailed review of areas of vulnerability, and a prioritized list of improvements to prevent attacks. Once the assessment is over (if you haven’t done this already), your job is to develop security protocols that will monitor your systems for compliance going forward.

Why PCI DSS level 1 compliance is important for your business

Though this may seem like a long, arduous process, the risks of remaining non-compliant are astronomical. Not only would a customer card data breach tarnish the reputation of your business, but you could also expect to be sued – not by PCI SSC, but by Mastercard and Visa, and potentially any number of banks.

Take Target, for example. Target’s data breach resulted in a payment of $39M to a handful of US banks that service Mastercard and settled with Visa for $67M. And that doesn’t even count the class action lawsuit filed directly by Target customers, which Target settled for $10M.

The best place to start if you’re new to PCI compliance is the PCI Security Standards Council website. There, you’ll find tons of resources and PCI SSC-approved vendors.

A whole host of PCI-compliant vendors in the marketplace will handle the process – with minimal intervention from you. Businesses that obtain a PCI level 1 certification can also avoid non-compliance fines and lawsuits.

How do level 1 merchants and service providers comply with PCI DSS level 1?

To comply with PCI DSS Level 1, merchants must complete a self-assessment (specific to their transactional behavior) to understand where they are already adhering to PCI DSS and where there may be gaps. The Security Standards Council provides a PCI DSS Self-Assessment Questionnaire (SAQ). You must also have a QSA or ISA perform your annual external audit. The audits must be reported to your “acquiring bank”, which is an “entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.”

What is a PCI DSS level 1 service provider?

A PCI DSS level 1 service provider is not a merchant or a brand that accepts customer payments. They instead collect, process, or transfer credit card information on behalf of another company. Level 1 service providers often include credit card data protection businesses, such as companies that offer firewalls, IDS/IPS, and hosting services.

PCI compliance is a complicated process – and with good reason. Customer payment data is at stake, and any business wishing to use it must do its utmost to protect that data. If the process is too overwhelming to take on yourself, find a PCI-compliant vendor to help walk you through it. But even so, ensure you are fully aware of PCI compliance standards, as your business is ultimately responsible.

Maintain PCI compliance with Invoiced

Meeting PCI compliance standards enables businesses to safely process batch payments to reduce threats of fraud and stolen credit card information. Offering a higher level of payment security can help build customer trust.

Invoiced takes security seriously. Our solution has been independently verified for PCI Level 1 compliance by a PCI Security Standards Council QSA (Qualified Security Assessor). Simplify payment security with Invoiced accounts payable and accounts receivable software.

To learn more about how Invoiced can help you maintain PCI compliance, schedule a demo today.