Almost all companies that process credit or debit card payments must comply with PCI DSS. PCI compliance also applies to most companies that transmit, store or otherwise come into contact with card and cardholder data, regardless of their payment structure. However, not all of these companies need to comply with PCI DSS and report their PCI compliance in the same way.
See Also: PCI DSS Compliance Levels
Companies with the lowest throughput often have lower bars to exceed and fewer PCI compliance requirement clauses. In short, they only need to complete a Self-Assessment Questionnaire (SAQ) to become PCI compliant.
However, companies with more credit card transactions are required to verify their SAQ and compliance by a Qualified Security Assessor (QSA) who files the Attestation of Compliance (AOC), Compliance Report (ROC), or both.
See Also: What is PCI DSS and PCI Compliance?
Ensuring Level 2 PCI compliance relates to the specific assessment and reporting protocols used to validate your application. All companies at all PCI levels must implement all controls or, where appropriate, compensate for controls that meet or exceed PCI compliance requirements.
What is PCI DSS? What are PCI Compliance Levels?
The payment card industry, particularly the credit card brands Visa, Mastercard, American Express, Discover, and JCB, leads the Security Standards Council. In 2004, he developed the PCI DSS framework to ensure the security of credit card data and cardholder data, especially e-commerce transactions.
However, recognizing that different organizations have different security risks, the PCI council has identified four merchant levels and two service provider levels. PCI Level 1 is the strictest for organizations that process 6 million or more credit card transactions per year or data breaches and service providers that process more than 300,000 payment card transactions per year.
How to Meet PCI DSS Level 2 Requirements
A business’s cybersecurity infrastructure must meet regulatory compliance requirements. Therefore, it is the Payment Card Industry (PCI) Data Security Standard (DSS) developed by the PCI Security Standards Council (SSC), a compliance framework applicable to businesses in almost every industry.
PCI Level 2 compliance is mandatory for businesses that process, store or transmit credit card data and process between one and six million transactions per year. PCI DSS compliance can be challenging for companies of all levels. There are numerous controls to implement and various assessment and reporting protocols to enumerate.
PCI compliance reporting levels depend on the volume and type of transactions a company processes during a calendar year. According to the PCI DSS compliance guide, Level 2 criteria and requirements are as follows:
- PCI DSS Level 2– Merchants that process between one and six million credit or debit card transactions per year across all commercial channels must submit an SAQ and AOC each year.
While PCI DSS Level 2 is the same as PCI Level 3 in terms of reporting, it covers a broader range of companies. It also refers to the maximum number of transactions a company can process before it is required to submit a QSA-verified ROC.
Other than the lowest PCI Level, companies that must comply must contract with the services of a QSA or PCI validated managed security services provider to evaluate their efforts.
PCI Level 2 and 3 companies must file with their SAQ. The AOC verifies that self-assessed answers are truthful. A QSA may choose to evaluate the company’s security practices, but this is not always a requirement.
Required only for the highest PCI compliance level, an ROC is a much more thorough analysis of the target company’s security features. It includes an onsite visit and evaluation by the QSA, who will test the controls themselves rather than relying on self-reported findings. If you are on the verge of PCI Level 1 throughput, you will want to prepare for the more rigorous assessment of a ROC.
See Also: PCI Compliance Reports: What Do SAQ, AoC, and RoC Mean?
The SAQ is a survey with simple yes or no questions about all PCI DSS controls at the other end of the spectrum.
Completing and submitting a Self-Assessment Questionnaire, which is a lengthy process with as many as 281 requirements, is one of the few tasks that organizations at PCI compliance Level 2 must complete before completing their Compliance Certifications.
See Also: Choosing the Right PCI DSS SAQ
The PCI DSS compliance criteria and requirements for vendor and service provider Level 2 are:
The compliance criteria for PCI DSS level 2 merchants are as follows:
- Process 1 million to 6 million Mastercard, Discover, or Visa transactions per year
- Process 50,000 to 2.5 million American Express transactions per year
- Each year, less than one million JCB transactions are processed.
Compliance verification requirements for PCI DSS level 2 merchants are as follows:
- Annual Self-Assessment Questionnaire
- Quarterly network scan by PCI SSC Approved Scanning Vendor
- Approval of the Eligibility Form
The compliance criteria for PCI DSS level 2 service providers are as follows:
- Process, store, or transmit less than 300,000 credit card transactions per year
Compliance verification requirements for PCI DSS level 2 service providers are as follows:
- Annual Self-Assessment Questionnaire
- Quarterly network scan by Approved Scan Vendor
- Penetration test
- Internal scanning
- Approval of the Eligibility Form
Service providers qualified as PCI Level 2 by partners, customers, or other business partners may be required to verify PCI DSS compliance with an onsite audit by a Qualified Security Assessor or Internal Security Evaluator and meet stricter PCI Level 1 criterion.
They may also choose to validate as a PCI Level 1 provider for inclusion on Visa’s Global Registry of Approved Service Providers.
How Can You Determine You Are PCI Level 2?
PCI Merchant Level 2 applies to merchants who process, store, or forward 1 million to 6 million credit card transactions per year. However, major credit cards also have their set merchant tiers, so your organization’s definition depends in part on what cards they accept.
PCI DSS Level 2 merchants process 1 to 6 million Visa, Mastercard, and Discover transactions per year. Merchant merchants that process 50,000 to 2 million sales and less than 1 million JCB International credit card transactions using American Express are also considered PCI level 2.
Service providers that process credit card payments or interact in any way with cardholder data for merchants and financial institutions are considered PCI Compliance Level 2 if they store or transmit a total of less than 300,000 card transactions per year.
Suppose your organization qualifies as a Level 2 vendor or service provider. In that case, it does not require an annual onsite audit by the Qualified Security Assessor or the resulting Compliance Report to demonstrate PCI DSS compliance. Only PCI level 1 organization need auditing.
See Also: What are PCI Service Provider Compliance Levels
Instead, merchants at levels 2, 3, and 4 can complete a completed Self-Assessment Questionnaire and meet a few other tasks before doing a PCI Attestation of Compliance (AoC). With 281 requirements to be addressed and other tasks completed, becoming PCI compliant can take PCI Level 2 compliances an entire year or more.