What are the 4 Levels of PCI Compliance?

The PCI Data Security Standards are a set of requirements developed by the Payment Card Industry Security Standards Council to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.

There are four standard levels of compliance with the PCI Data Security Standards. They range from low to high and represent an escalating level of effort and investment in data security.

The four levels of PCI compliance are:

1. Level 1 — The highest level of compliance, which is required for companies that process more than 6 million credit card transactions per year. This level requires the use of a qualified security assessor to conduct a comprehensive security review and implement specific security controls.

It also requires annual on-site security assessments by an assessor and quarterly network scans using automated vulnerability detection tools. The company must also keep audit trails for at least one year.

2. Level 2 — Requires companies to use a qualified security assessor to conduct an assessment of their security controls, including firewall configuration, system integrity checks, internal vulnerability scans and penetration tests at least once a year.

This level also requires the use of two-factor authentication for remote access to the network by employees and third parties, as well as security awareness training for all personnel. The company must also keep audit trails for at least six months.

3 . Level 3 — Requires the same annual assessments as Level 2 with the addition of patch management procedures and quarterly external vulnerability scans using automated tools. The company must also keep audit trails for at least one month.

4 . Level 4 — Requires companies to use a qualified security assessor to conduct an assessment of their security controls, including firewall configuration, system integrity checks, internal vulnerability scans and penetration tests at least once a year.

It also requires monthly external vulnerability scans using automated tools and security awareness training for all personnel. The company must keep audit trails for at least three months.

The PCI Data Security Standards were developed by the Payment Card Industry Security Standards Council and was created in order to combat credit card fraud. The four levels of compliance range from low to high and represent an escalating level of effort and investment in data security. The lower levels require a smaller initial time commitment, whereas the higher levels require more time and investment.