February 7, 2024

PCI DSS Requirements Merchant Level 4

If your business processes, stores, or transmits cardholder data through transactions, you will likely know by now how important it is to become PCI DSS compliant. Card transactions are often prone to cyber-attacks, which can lead to data breaches that would be detrimental to your business.

By
Full name
Share this post

To achieve compliance certification, your business will need to ensure that your business is following the appropriate standards depending on the scope of the company. This means that you will qualify under one of the four PCI DSS merchant levels:

  • Level 1 covers merchants that process over 6 million card transactions a year.
  • Level 2 covers merchants that process 1 million to 6 million transactions a year.
  • Level 3 covers merchants that process 20,000 to 1 million transactions a year.
  • Level 4 covers merchants that process fewer than 20,000 transactions a year.

PCI DSS Level 4 is the lowest compliance level a business would need to meet, so it’s usually much smaller businesses seeking compliance here. The requirements are explained below.

What is PCI DSS Level 4?

As a general rule, PCI DSS Level 4 businesses are those that process, store, or transmit fewer than 20,00 transactions per year. However, different cardholders have different standards as to who qualifies as a PCI DSS Level 4 business. These are:

  • VISA and Mastercard classify Level 4 merchants as those who process fewer than 20,000 transactions annually.
  • Discover, American Express and JCB have no Level 4 standards. Discover and American Express stop at Level 3 and JCB stops at Level 2, so the appropriate standards must be followed in this scenario.

How do merchants become PCI DSS Level 4 compliant?

The PCI DSS Level 4 requirements are much less stringent than for those in higher levels. You will not be required to complete an Annual Report on Compliance (ROC) or an Attestation of Compliance form (AOC).

However, PCI DSS Level 4 merchants will still need to complete and PCI DSS Self-Assessment Questionnaire (SAQ) provided by the PCI Security Standards Council (SSC). To fill out this form, your business will need to self-assess the current security measures in place, with a particular focus on any weaknesses.

Quarterly network scanning will also need to be performed by an Approved Scan Vendor (ASV). Your business will also require regular penetration testing and internal scanning.

Do service providers have to follow PCI DSS Level 4 requirements?

PCI DSS compliance is also required for service providers that aid a business during the transaction process. However, there is no PCI DSS Level 4 compliance in place for service providers, so the Level 2 requirements need to be followed.

Service providers that process fewer than 300,000 payment card transactions each year need to adhere to the following requirements:

  • An annual SAQ
  • An ROC prepared by a QSA
  • A quarterly network scan by an ASV
  • Regular penetration testing
  • Regular internal scanning
  • An Attestation of Compliance Form

What are the benefits of PCI DSS Level 4?

The benefits of being PCI DSS Level 4 compliant cannot be understated.

Firstly, your business will be considered must more trustworthy which appeals to banks and stakeholders, who often require PCI DSS compliance when partnering with you. You will also find that customers and clients have much more trust in purchasing from a PCI DSS compliant business.

Additionally, by strengthening your security systems, you’re preventing your business from experiencing a breach. The consequences of these can be severe including expensive fines and detrimental reputational damage.

PCI DSS Level 3 compliance made easy with Hicomply

The PCI DSS compliance process can seem extremely daunting, especially if your business has not gone through this previously. At Hicomply, our aim is to streamline the process so you can focus on running your business – essentially, compliance as you work!

Our ISMS solution keeps all your documents in one place, so you can achieve certification without the extra hassle. Contact us for a demo today.

Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments

Ready to Take Control of Your Privacy Compliance?

Book a demo and experience the difference with Hicomply.

By providing your email, you agree that Hicomply may contact you for scheduling and marketing purposes, subject to Hicomply’s Privacy Policy. You can unsubscribe at any time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments