PCI levels are categories that the PCI Security Standards Council (SCC) and card brands (VISA, MasterCard, American Express, Discover, and JCB) use to determine PCI compliance validation and reporting requirements for both merchants and service providers. The levels are numbered 1 through 4, with 1 at the highest level.
At level 1, merchants and service providers are required to engage an independent Qualified Security Assessor (QSA) to validate compliance with the PCI Data Security Standard (DSS).
Level 2 through level 4 merchants and service providers are permitted, but not required, to self-validate compliance with the DSS. They may also have a QSA validate compliance.
Ultimately, all entities that store, process, or transmit cardholder data are required to comply with all relevant PCI DSS requirements, regardless of transaction volume. Having a QSA validate compliance with the DSS provides confidence and assurance that the cardholder data environment (CDE) is securely controlled and that relevant requirements have been met.
About the Author
Eric Sampson is a Manager at Schellman. Eric began his professional career in 2005 while working as an IT auditor in Philadelphia. Eric executed several critical projects for clients in the areas of information security and Service Organization Controls (SOC) reporting projects. To date, Eric has provided services to clients in the healthcare, information technology, and financial services industries, among others.More Content by Eric Sampson