All companies that process credit card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). It defines four levels of PCI compliance that are determined by the volume and type of credit card transactions processed by a merchant.
Based on their PCI DSS merchant level, companies need to take different actions to demonstrate compliance and protect cardholder data.
PCI DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC), a global forum of industry stakeholders. The Council was formed by American Express, Discover, JCB International, MasterCard, and MasterCard on September 7, 2006, to manage and supply information supporting PCI DSS.
Documentation demonstrating compliance is sent to the Council when necessary.
In this post, we’ll review:
PCI merchant levels are primarily used by the payment card industry to categorize businesses that handle payment cards and are based on the volume and type of cardholder transactions they process. Merchants that are classified at different levels are required to follow different reporting guidelines.
PCI merchant levels are determined by individual payment card companies. There is no industry-wide standard, though most companies define similar levels.
In most cases, such as Visa, four levels are defined that have varying requirements to demonstrate and document PCI DSS compliance. Discover is an exception and only categorizes businesses into three levels.
We will use Mastercard’s PCI levels as an example of the way businesses are categorized by the payment card industry. MasterCard has defined four merchant levels based on the quantity of MasterCard transactions a business has conducted over the most recent 12-month period.
These levels determine the amount of assessment and security validation an entity must perform to maintain PCI-DSS compliance.
Companies subject to PCI DSS must conduct annual assessments to verify PCI compliance. However, the type of assessment required depends on its merchant level.
Data loss prevention (DLP) solutions can help companies comply with PCI DSS regulations. By enforcing an organization’s data handling policy, DLP supports the security required to maintain PCI compliance. The key is for companies to develop an effective data handling policy that incorporates compliance requirements.
Specifically, DLP addresses the following three PCI DSS requirements:
Do you know what the 5 key benefits of an effective DLP endpoint agent are?
— Next DLP (@Next_DLP) February 27, 2023
✅ Data protection any time, any place, anywhere
✅ Increased data visibility
✅ More control over data user access permissions
✅ Identifies gaps in patch management
✅ Reduces data breaches
The Reveal Platform by Next is an advanced DLP solution that helps companies protect their sensitive data resources and comply with PCI DSS requirements. It’s built with today’s technology and provides businesses with a cloud-native platform that supports flexibility, fast deployment, and immediate visibility into data resources.
Reveal is the first DLP platform that delivers machine learning on the endpoint. Featuring a smart agent that identifies and categorizes data at the point of risk, the tool also offers user training that supports the development of a security-conscious culture throughout the organization.
Contact Next and book a demo to see how this advanced DLP solution can increase your data security and help your organization remain compliant with PCI DSS.
What constitutes a merchant under PCI DSS?
PCI DSS defines a merchant as any entity that processes credit card transactions using any acceptance method. Merchants are assigned levels that reflect the volume and type of transactions they process. In the world of ecommerce, virtually every company is considered a PCI DSS merchant.
How does my company demonstrate PCI compliance?
Companies have varying requirements related to PCI compliance, based on their merchant level. All merchants need to perform annual assessments to demonstrate compliance.
Level 2 through 4 merchants can also choose to submit an ROC instead of an SAQ.
How is my organization’s merchant level determined?
Merchant levels are assigned by the merchant’s payment card processor and are based on the number of transactions a merchant has processed over the previous 52-week period. The payment card processor can raise the levels to a higher level if they believe the merchant’s environment poses security risks to cardholder data.
Blog
Blog
Blog
Blog
Resources
Resources
Resources
Resources