All entities involved in the processing of payment cards, including merchants, processors, financial institutions, card issuers, and service providers, as well as any other entities that store, process, or transmit cardholder data or sensitive authentication data, must comply with the PCI DSS (Payment Card Industry Data Security Standard) regulations, which certifies the security standard set by major card issuers.
What is PCI DSS?
It certifies the security standard set by major card issuers (both debit and credit) and helps reduce the risk of fraud. It is a set of requirements aimed at companies that process, transmit, and/or store this information, which must validate their compliance periodically.
The number of technical requirements that apply depends on the PCI level of the merchant and how the merchant configures their website to accept card payments.
PCI Levels
There are four levels of PCI compliance based on the number of transactions processed over a one-year period.
| PCI Level | Transactions Processed |
|---|
| 1 | - More than six million transactions with Visa, MasterCard, or Discover.
- More than two and a half million transactions with American Express.
- If any of the card schemes identify the merchant as a Level one provider.
|
| 2 | - Between one and six million transactions with Visa, MasterCard, or Discover.
- Between fifty thousand and two and a half million transactions with American Express.
|
| 3 | - Between twenty thousand and one million transactions with Visa, MasterCard, or Discover.
- Less than fifty thousand transactions with American Express.
|
| 4 | - Less than twenty thousand transactions with Visa.
|
Requirements
The PCI level combined with the integration method will determine the compliance requirements. To validate PCI compliance, merchants have access to a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (RoC) that must be completed by an approved security assessor (QSA).
| Merchant PCI Level | Redirect/HPP | Embedded/Iframe | Components | Native | SDK | API |
|---|
| 1 | RoC A | RoC A | RoC A | RoC A | RoC A | RoC |
| 2 | SAQ A | SAQ A | SAQ A | SAQ A | SAQ A | SAQ D |
| 3 | SAQ A | SAQ A | SAQ A | SAQ A | SAQ A | SAQ D |
| 4 | SAQ A | SAQ A | SAQ A | SAQ A | SAQ A | SAQ D |
- Redirect/HPP
- Iframe/Embeded
- API
- SDK
- Nativa
- Componentes
| Nivel PCI comercio | Requisitos |
|---|
| 1 | Roc A |
| 2 | SAQ A |
| 3 | SAQ A |
| 4 | SAQ A |
| Nivel PCI comercio | Requisitos |
|---|
| 1 | Roc A |
| 2 | SAQ A |
| 3 | SAQ A |
| 4 | SAQ A |
| Nivel PCI comercio | Requisitos |
|---|
| 1 | RoC |
| 2 | SAQ D |
| 3 | SAQ D |
| 4 | SAQ D |
| Nivel PCI comercio | Requisitos |
|---|
| 1 | Roc A |
| 2 | SAQ A |
| 3 | SAQ A |
| 4 | SAQ A |
| Nivel PCI comercio | Requisitos |
|---|
| 1 | Roc A |
| 2 | SAQ A |
| 3 | SAQ A |
| 4 | SAQ A |
| Nivel PCI comercio | Requisitos |
|---|
| 1 | Roc A |
| 2 | SAQ A |
| 3 | SAQ A |
| 4 | SAQ A |