PCI:DSS must be adhered to by all entities where card payments are supported and processes. This includes merchants, service providers, acquiring benefits and card issuers. 

The standard was created to increase controls around cardholder data to reduce cardholder fraud and describes a series of security requirements in 12 different categories.

These requirements can be applied in a tailored way to various environments. PCI: DSS must however, in some shape or form, be adhered to by all entities where card payments are supported and processed. This includes both face to face and online transactions, whether or not the card is present.

PCI: DSS Merchant Levels & Compliance Requirements

Merchant levels are defined by the annual number of card transactions and this determines the assessment type and reporting requirements.

All merchants will fall into one of the four set merchant levels, based on the volume of card payment transactions over a 12 month period. Below we have outlined the four merchant levels and the compliance requirements for each.

PCI Level 1

6,000,001 or more annual transactions

PCI Level 2

1,000,001 - 6m annual transactions

PCI Level 3

20,001 - 1m annual transactions

PCI Level 4

20,000 or less annual transactions

Four Steps To Compliancy & The 12 PCI: DSS Requirements

SES's Qualified Security Assessors (QSA's) utilise a 4 step PCI DSS framework to manage your organisations compliance programme. The framework clearly lays out SES's process to help you identify the systems and processes which fall in scope of PCI DSS, understand and remediate the gaps in your security and the 12 core PCI DSS requirements you need to meet. 

You then submit your PCI Self Assessment Questionnaire (SAQ) or Report On Compliance (ROC) to your service provider and regularly review your systems to ensure that you remain compliant.

Our Cyber Security Expertise

Take a look at our most recent Cyber Security blog posts