The number and type of credit card transactions a business processes per year is what determines a company’s required PCI compliance level. There are four levels of PCI compliance for merchants and two for service providers.
This article is a deep dive into PCI Level 1 compliance. It’s an attempt to clarify what the council themselves leaves somewhat vague.
We discuss the requirements in practical terms, creating a plan to attain compliance, the budgetary requirements of level 1, and more.
- Understanding PCI Compliance Level 1
- Who Must Be PCI Level 1 Compliant?
- Risks of Non-Compliance
- Becoming PCI Level 1 Compliant
- The Cost to Become PCI Level 1 Compliant
- How to Begin: Planning for Compliance
Understanding PCI Compliance Level 1
PCI Compliance Level 1 is the highest and most stringent level, whose requirements must be met by merchants and service providers for them to be considered PCI DSS compliant. The compliance requirements vary among the major credit card companies based on the number of annual card transactions and whether a business experienced a data breach, regardless of the number of transactions processed. Each of the five major credit card companies have a set threshold of Level 1.
VISA, Mastercard, Discover PCI Compliance Level 1
- Any merchant with more than 6 million transactions annually.
- Any service provider with more than 300,000 transactions annually.
American Express PCI Compliance Level 1
- Any merchant with more than 2.5 million transactions annually.
- Any service provider with more than 300,000 transactions annually.
JCB PCI DSS Level 1
- Any merchant with more than 1 million transactions annually.
- Any service provider with more than 300,000 transactions annually.
Who Must Be PCI Level 1 Compliant?
Both merchants and service providers must maintain Level 1 compliance as defined above. Even if the annual transactions count does not meet the above stated, any merchant or service provider who has experienced a past data breach or is considered Level 1 by another card issuer must also be PCI DSS Level 1 compliant.
A merchant is any entity that accepts payment cards bearing the logo of a PCI SCC participating payment brand. A service provider is any entity that stores, processes or transmits cardholder data on behalf of a merchant or another service provider. One example of this is Amazon. While the platform sells goods and services, it also provides a platform for smaller third parties to sell goods and services. Amazon provides the infrastructure and payment processing thus making them both a merchant and a service provider.
Risks of Non-Compliance
The risks of being PCI non-compliant include fines and penalties, data breaches, compensation costs, legal, and reputational damage, cash flow impacts, and being no longer able to accept credit cards for payment.
Monthly fines and penalties
The major credit card companies can fine businesses monthly until such time their CDE has PCI Level 1 compliance. Visa and Mastercard can impose fines that range from $5000 to $100,000 per month. The large variance is due to how many months a business has been non-compliant, the size of its client base, and the number of transactions processed.
For example, a small company that has been non-compliant for over seven months can be fined $50,000 per month. On the other hand, a large company with more clients that have been non-compliant for the same period may receive higher penalties of $100,000 per month. Penalty ranges on average can be:
- 1–3 months – $5,000–$10,000 per month
- 4–6 months – $25,000–$50,000 per month
- 7 months or more – $50,000–$100,000 per month.
A less than secure CDE can make a business a prime target for cybercriminals. Data breaches cause major setbacks for companies, with the average cost of a breach being $150 per record. Banks may also charge additional fines per record compromised.
When a data breach occurs, a business may have to compensate clients in the form of free credit card monitoring, service fee reimbursement, and identity theft insurance. These complimentary services are crucial for keeping clients, but greatly increase the cost of doing business.
Clients whose data is compromised may file lawsuits against the business that was breached. In 2014 Target was sued by customers and in 2019 Capital One had a breach resulting in 100 million credit card applications being exposed. The outcome of the Capital One breach resulted in fines of $80 million.
Businesses could also have to pay damages to payment card issuers that spent millions of dollars reissuing credit cards and reimbursing fraud victims. While large companies may be better positioned financially to withstand lawsuits, small- and medium-sized businesses may not be able to recover, going out of business altogether.
Customers engage in transactions with businesses they trust. There is an unspoken agreement that when a customer provides their credit card as payment, the information is protected. In the event of a data breach, or even communication of a business being noncompliant may result in a loss of consumer confidence. With that loss of confidence comes a greater chance of losing customers. Word of mouth spreads like wildfire. The lost customers tell their friends and family who were considering buying and now those potential customers are lost. Even after coming into PCI Compliance Level 1, lost trust will be very difficult to regain.
On the flip side of the proverbial coin, a business that demonstrates a strong security position and maintains PCI compliance is communicating to their customers and potential customers their cardholder data is safe.
Costs incurred from financial penalties, data breaches, lawsuits, and reputational damage can have a large and negative impact on a company’s cash flow. This is because the business is now focused on paying fines, penalties, lawsuit settlements, and customer retention, which means less money to invest in other business opportunities, e.g., new lines of business, and expansion.
Becoming PCI Level 1 Compliant
The requirements for PCI Level 1 compliance are as follows, with the service provider having additional requirements apart from the merchant:
- Implement all 12 PCI DSS
- Annual Validations
- Quarterly Validations.
Implement all 12 PCI DSS
A business that is required to have PCI compliance Level 1 must implement all 12 PCI DSS. Depending on the size of the organization, a gap analysis should be performed by internal resources (e.g., infrastructure personnel and internal audit) or by an outside qualified assessor. Once the business knows the current state compared to the required state, there is a baseline foundation on which to build. The 12 requirements are aligned to 6 overarching goals.
Goal 1: Build and maintain a secure network and systems.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data. This means establishing firewall and router configuration standards that include criteria such as a formal process for approving and testing all network connections and changes to the firewall and router configurations.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. When building out the firewall and router configurations, make sure passwords are changed and security parameters set per the company’s established information security policies.
Goal 2: Protect cardholder data.
Requirement 3: Protect stored cardholder data. The company should keep cardholder data storage to the minimum necessary for business needs. Develop formal processes for what data elements will be stored, the retention period for storage, and the deletion of data when no longer needed. This also entails ensuring all cardholder data being stored is fully encrypted.
Requirement 4: Encrypt transmission of cardholder data across open, public networks. This means the company’s open public network (e.g., internet, wireless technologies, cellular technologies, satellite communications, etc.) uses strong cryptography, only trusted keys and certificates are accepted, and processes for managing the encryption are clearly documented and understood by all personnel.
Goal 3: Maintain a vulnerability management program.
Requirement 5: Use and regularly update anti-virus software or programs. Examples include deploying anti-virus software on all systems commonly affected by malicious software, e.g., personal computers and servers. For less commonly affected systems, perform periodic reviews of the systems against current malware threats to ensure anti-virus software is installed and up to date.
Requirement 6: Develop and maintain secure systems and applications. This can be accomplished by establishing a formal process to identify security vulnerabilities, by ensuring all vendor-supplied security patches are tested and installed, and before applications go live, removing development or test accounts, user IDs, and passwords. A formal change process and record for all changes should also be maintained.
Goal 4: Implement strong access measures.
Requirement 7: Restrict access to cardholder data by business need to know. This means that only individuals whose job duties require this access have it and no other users. A recommended best practice would be to restrict access to privileged user IDs and not personal user IDs, practicing least privileges necessary. By default, access settings should be set to “deny all”.
Requirement 8: Assign a unique ID to each person with computer access.
This means all personnel in the organization are assigned a unique user ID and system settings are such that duplicate user IDs cannot be created. Implement user ID lockout after no more than six login attempts.
Requirement 9: Restrict physical access to cardholder data. Appropriate facility controls are implemented to limit and monitor physical access to server rooms, data centers, and entry corridors. Install keycard or biometric scanning technologies; visitors should be approved by a proper company representative and provide picture identification before being given access. Any visitor accessing areas where cardholder data is stored must be always escorted by appropriate company personnel.
Goal 5: Regularly monitor and test networks.
Requirement 10: Track and monitor all access to network resources and cardholder data.
This means having audit trails that show every user ID that accessed any system components in the CDE, including at least the user ID, date, time, and events performed. Regularly review and test all jobs which create these audit logs.
Requirement 11: Regularly test security systems and processes. The first point for consideration is to have a complete inventory of authorized wireless access points, with a business justification for the WAPs. Regularly perform vulnerability scanning and maintain logs of all scans. Perform penetration testing and ensure intrusion detection and prevention tools are in place.
Goal 6: Maintain an information security policy.
Requirement 12: Maintain a policy that addresses information security for all personnel. This means a formal policy that personnel are required to read and provide attestation to be compliant. A great method to ensure security policies are reviewed is to provide a test or quiz when employees review the policy.
At first glance, the task can be and is in fact daunting. But the PCI DSS security council has developed a milestone approach that can be used when planning and scoping the project to implement all the requirements. This is referred to as The Prioritized Approach to Pursue PCI DSS Compliance.
Merchants and service providers must perform an annual audit or assessment from which the Report on Compliance (RoC) is produced. This should be performed by an outside Qualified Security Assessor (QSA) or if the business has an internal audit function, they can perform the assessment. The second validation requirement is the annual Attestation of Compliance (AoC). This is a document that serves as a declaration of the business’s PCI DSS compliance status. It too must be completed by a QSA or internal audit. The RoC and AoC are provided to the merchant’s credit card acquirer.
Merchants must also report audit results to their acquiring bank, which is defined as “an entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer.”
In addition to the above requirements, service providers are required to undergo annual penetration testing.
On a quarterly basis, merchants must perform internal and external network scans using an approved scan vendor (ASV). The complete list of ASVs can be found on the PCI Security Standards Council website. These vendors experienced with PCI offer external vulnerability scanning solutions that adhere to PCI DSS requirements, and they are tested and approved by PCI Security Standards Council before they’re added to the list.
The Cost to Become PCI Level 1 Compliant
PCI DSS is not a one-size-fits-all because each business is at a different readiness level from another. This level will incrementally increase or decrease the cost of coming into initial compliance. For example, a business that, as a part of its standard security operations, has an Intrusion Prevention System (IPS) or Intrusion Detection System (IDS), and has endpoint antivirus software installed will be further along than a business that does not. Another example is having network segmentation wherein the PCI DSS portions of the environment are segmented from other areas of business operations.
When considering costs, a business should budget for both preparation and implementation, PCI DSS certification, and annual compliance maintenance.
Preparation and implementation costs – $4000 to $40,000
Components include network security (IDS, IPS), data encryption (all stored payment data), antivirus software (licensing per device), employee security training, security policy development, ASV scans, and penetration testing.
PCI DSS Certification costs – $15,000 to $60,000 annually
Components include an annual report on compliance (RoC) and a self-assessment questionnaire (SAQ).
Annual Compliance Maintenance costs – $18,000 to $80,000
Components include antivirus software and network security (upgrades, patches), employee security training, ASV scans, penetration testing, PCI compliance fees, and RoC or SAQ.
Every business must keep at top-of-mind unwanted costs which include but are not limited to costs of a data breach, PCI DSS non-compliance fees, and loss of merchant license (can no longer accept credit cards).
How to Begin: Planning for Compliance
A business should conduct a gap analysis to assess its CDE and determine the compliance baseline. PCI SSC has developed a prioritized approach plan which ranks requirements into six milestones: The Prioritized Approach to Pursue PCI DSS Compliance.
It is strongly recommended to identify and assign a dedicated program or project manager (PM) to manage the project from gap analysis to full implementation and testing. The PM can identify and document the resources needed, timelines and provide formal communications to relevant stakeholders throughout the effort.
The project effort should align with project management best practice standards such as those in the Project Management Book of Knowledge (PMBOK).
The Prioritized Approach
The Prioritized Approach outlines six security milestones that will help merchants and service providers incrementally protect against the highest risk factors and escalating threats while working toward the goal of PCI compliance Level 1.
This is accomplished by providing to the business a roadmap to address risks in priority order, a practical approach that allows for “quick wins”, financial and operational planning, promoting objective and measurable progress indicators, and helping to ensure consistency among assessors.
Each milestone entails a specific goal aligned to the PCI DSS.
- Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it.
- Protect systems and networks and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises and the processes for responding.
- Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.
- Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.
- Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.
- Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and to finalize all remaining related policies, procedures, and processes needed to protect the CDE.
The following captures the mapping of Milestone 1 to the PCI DSS. The same mapping is identified across the remaining 5 milestones and can be found in the Prioritized Approach..
In conclusion, this article defined PCI Compliance Level 1, who is required to be compliant, the requirements to ensure compliance and a proposed methodology. It is important to note that PCI DSS compliance is a continuous and agile process of assessing, reporting, and remediating.