As these requirements cover a wide range of businesses, it’s important to ensure you are following the appropriate standards for the size and scale of your business. As such, you can expect to qualify under one of the four following PCI-DSS merchant levels:
- Level 1 covers merchants that process over 6 million card transactions a year.
- Level 2 covers merchants that process 1 million to 6 million transactions a year.
- Level 3 covers merchants that process 20,000 to 1 million transactions a year.
- Level 4 covers merchants that process fewer than 20,000 transactions a year.
If your business is seeking PCI-DSS Level 3 compliance, you will need to follow the specific standards outlined below.
What is PCI-DSS Level 3?
PCI-DSS Level 3 businesses are those who process, store, or transmit between 20,000 and 1 million card transactions per year. Despite this, you may need to consider that the different card providers have different standards for PCI-DSS Level 3 businesses. These are:
VISA, Mastercard, and Discover:
- Merchants who process between 20,000 and 1 million transactions annually.
American Express:
- Merchants who process fewer than 50,000 transactions annually.
JCB has no level 3. All merchants that process fewer than 1 million JCB transactions per year will be considered a Level 2 business.
How do merchants become PCI-DSS Level 3 compliant?
If you are a business aiming for PCI-DSS Level 3 compliance, the process is much the same as qualifying for Level 2 compliance. You will not be required to complete an Annual Report on Compliance (ROC).
A PCI-DSS Self-Assessment Questionnaire (SAQ) is the first thing that will need to be completed. Supplied by the PCI Security Standards Council (SSC), this form requests that the business complete a self-assessment form on the current security system in place, looking particularly at any weaknesses.
Quarterly network scanning will also need to be done. This will be performed by an Approved Scan Vendor (ASV). You will also need to complete an Attestation of Compliance form (AOC).
Your business will also require regular penetration testing and internal scanning.
Do service providers have to follow PCI-DSS Level 3 requirements?
If your business uses a service provider during the transaction process, these will also need to be PCI-DSS compliant due to the sensitive nature of handling, storing, and transmitting cardholder data. However, there is no PCI-DSS Level 3 compliance for service providers, so Level 2 requirements must be followed.
For service providers that process fewer than 300,000 payment card transactions each year, the requirements are:
- An annual SAQ
- An ROC prepared by a QSA
- A quarterly network scan by an ASV
- Regular penetration testing
- Regular internal scanning
- An Attestation of Compliance Form
What are the benefits of PCI-DSS Level 3?
The benefits of being PCI-DSS Level 3 compliant can be enormous for your business. For one, your security systems will remain powerful enough to avoid a breach due to the strengthened measures and continuous monitoring process. This will prevent your business from experiencing the pitfalls of a breach, including expensive fines and severe reputational damage.
Your company will also experience a significant increase in trust in all aspects of your business. Banks and stakeholders tend to seek out PCI-DSS compliance in partners as this helps them mitigate their own risk when working with you. Clients and customers also tend to repurchase from trustworthy businesses, and knowing their data is safe when making a transaction with you can make all the difference.
Achieve PCI-DSS Level 3 compliance with Hicomply
At Hicomply, our mission is to take the stress out of PCI-DSS compliance as we’re well aware that it can be time-consuming and confusing for businesses. We offer a fully-fledged ISMS solution that allows you to keep track of all your relevant documents without any of the extra hassle. Contact us for a demo today.