To achieve compliance certification, your business will need to ensure that your business is following the appropriate standards depending on the scope of the company. This means that you will qualify under one of the four PCI-DSS merchant levels:
- Level 1 covers merchants that process over 6 million card transactions a year.
- Level 2 covers merchants that process 1 million to 6 million transactions a year.
- Level 3 covers merchants that process 20,000 to 1 million transactions a year.
- Level 4 covers merchants that process fewer than 20,000 transactions a year.
PCI-DSS Level 4 is the lowest compliance level a business would need to meet, so it’s usually much smaller businesses seeking compliance here. The requirements are explained below.
What is PCI-DSS Level 4?
As a general rule, PCI-DSS Level 4 businesses are those that process, store, or transmit fewer than 20,00 transactions per year. However, different cardholders have different standards as to who qualifies as a PCI-DSS Level 4 business. These are:
- VISA and Mastercard classify Level 4 merchants as those who process fewer than 20,000 transactions annually.
- Discover, American Express and JCB have no Level 4 standards. Discover and American Express stop at Level 3 and JCB stops at Level 2, so the appropriate standards must be followed in this scenario.
How do merchants become PCI-DSS Level 4 compliant?
The PCI-DSS Level 4 requirements are much less stringent than for those in higher levels. You will not be required to complete an Annual Report on Compliance (ROC) or an Attestation of Compliance form (AOC).
However, PCI-DSS Level 4 merchants will still need to complete and PCI-DSS Self-Assessment Questionnaire (SAQ) provided by the PCI Security Standards Council (SSC). To fill out this form, your business will need to self-assess the current security measures in place, with a particular focus on any weaknesses.
Quarterly network scanning will also need to be performed by an Approved Scan Vendor (ASV). Your business will also require regular penetration testing and internal scanning.
Do service providers have to follow PCI-DSS Level 4 requirements?
PCI-DSS compliance is also required for service providers that aid a business during the transaction process. However, there is no PCI-DSS Level 4 compliance in place for service providers, so the Level 2 requirements need to be followed.
Service providers that process fewer than 300,000 payment card transactions each year need to adhere to the following requirements:
- An annual SAQ
- An ROC prepared by a QSA
- A quarterly network scan by an ASV
- Regular penetration testing
- Regular internal scanning
- An Attestation of Compliance Form
What are the benefits of PCI DSS Level 4?
The benefits of being PCI-DSS Level 4 compliant cannot be understated.
Firstly, your business will be considered must more trustworthy which appeals to banks and stakeholders, who often require PCI-DSS compliance when partnering with you. You will also find that customers and clients have much more trust in purchasing from a PCI-DSS compliant business.
Additionally, by strengthening your security systems, you’re preventing your business from experiencing a breach. The consequences of these can be severe including expensive fines and detrimental reputational damage.
PCI-DSS Level 3 compliance made easy with Hicomply
The PCI-DSS compliance process can seem extremely daunting, especially if your business has not gone through this previously. At Hicomply, our aim is to streamline the process so you can focus on running your business – essentially, compliance as you work!
Our ISMS solution keeps all your documents in one place, so you can achieve certification without the extra hassle. Contact us for a demo today.