If you search the PCI Council site (the maintainers of the PCI DSS suite), you won’t find any tables outlining different levels of compliance at all. There’s a reason for that, which is to do with how the PCI DSS first came to be.
Historically, the various card brands including MasterCard and Visa all operated their own card data security programs. These created a whole bunch of requirements for merchants and service providers. What the brands found was that much of the material in their different security programs was quite similar, but just different enough to complicate compliance with them all. So 5 of the card brands (AmEx, Discover, JCB, MasterCard, Visa) got together to found an organization that would publish and maintain a common security standard: the PCI council, which maintains the PCI DSS.
But those original card brand-specific security programs didn’t go away – they just delegated a bunch of the technical stuff to the PCI Council. Things that were delegated tended to be in the area of technical security controls (e.g. PCI DSS req. 1 is about maintaining firewalls). Things to do with risk management of card transaction volumes were kept in house by the various brands, where they continue to this day.
The PCI Council publishes a standard, which is the PCI DSS itself. It then publishes several tools for assessing compliance with the standard. Those tools include various Self Assessment Questionnaires (SAQs), which require varying levels of detail to complete depending on which one you are allowed to use. Tools also include the Report of Compliance (ROC) and Attestation of Compliance (AOC) templates, to be used by QSAs when doing an on-site audit.
Card Brand security programs
It’s the in-house card brand security programs that dictate what the different levels of compliance are, and what causes merchants and service providers to be categorized at that specific level. The levels have quite a lot in common between the brands, but differences do exist. One commonality is that the lower the number of the level, the stricter the level of compliance with the standard is expected. Along with that stricter compliance, more visibility into how the standard is being met is required.
The level you’ve been categorized by one one of the card brands as a merchant or as a service provider is what determines which of those PCI Council tools you can use to assess compliance with the standard. It governs which SAQ you’re eligible to use, and whether any company employee can complete it or whether to require a formally trained person. At high enough levels, they require that you have to have a QSA do an on-site audit instead of using any SAQ.
In practical terms, what’s level 1?
For all of the card brands, level 1 means basically the same thing. By volume, you’re in the highest tier of merchants or service providers, and a compromise of your environment could result in significant financial losses to the card brand members and potentially to card holders. Level 1 is the highest numbered level in these card data protection programs, and outside of some special measures programs, compliance obligations don’t get any stricter.
If you’ve been categorized as level 1, then you can take some pride that you’ve made it. You’re at the top of the card payments world, and some significant responsibilities come along with that.
If you are categorized as a level 1 merchant or service provider by one or more card brands, you are no longer able to do an annual SAQ. Instead, you have to undergo an annual on-site assessment by qualified personnel. As a level 1 merchant, it’s preferred that the on-site assessment is done by a QSA; for service providers it’s mandatory.
That QSA will go through all of the items in the PCI DSS ROC reporting template, and it’s unlikely you will be able to mark many of them as N/A – the expectation is that at your volumes, everything in the standard is applicable.
If you’ve just learned that you’re level 1, congratulations! Now go and find a QSA in your markets. And remember, the QSA is there to help you be compliant and secure, not just to do the assessment.