PCI levels are categories that the PCI Security Standards Council (SCC) and card brands (VISA, MasterCard, American Express, Discover, and JCB) use to determine PCI compliance validation and reporting requirements for both merchants and service providers. The levels are numbered 1 through 4, with 1 at the highest level.
At level 1, merchants and service providers are required to engage an independent Qualified Security Assessor (QSA) to validate compliance with the PCI Data Security Standard (DSS).
Level 2 through level 4 merchants and service providers are permitted, but not required, to self-validate compliance with the DSS. They may also have a QSA validate compliance.
Ultimately, all entities that store, process, or transmit cardholder data are required to comply with all relevant PCI DSS requirements, regardless of transaction volume. Having a QSA validate compliance with the DSS provides confidence and assurance that the cardholder data environment (CDE) is securely controlled and that relevant requirements have been met.
About the AuthorMore Content by Eric Sampson