Achieving Payment Card Industry Data Security Standard (PCI DSS) can be a lengthy and expensive process.
Level 1 compliance, which is required for businesses that handle high volumes of payment card data, can easily cost over $1M upfront. In addition, the journey to your certification can last between 9 to 12 months if you opt to build your own PCI-compliant infrastructure and manage the audit process by yourself. (And that doesn’t even account for annual maintenance.)
With the VGS Platform, you can achieve Level 1 compliance in as little as 21 days – and your organization will end up saving 50-75% versus the cost of DIY.
What Is PCI DSS and Who Needs to Achieve Compliance?
If your business handles payment card data, whether you collect, store, or transfer that highly sensitive data, you must comply with PCI DSS.
PCI DSS requirements were originally developed by the PCI Security Standards Council (PCI SSC). The Council is a consortium of the major credit card brands, including Visa, Mastercard, Discover, JCB International, and American Express, which created these security standards to reduce credit card fraud.
While not a legal obligation, PCI DSS compliance is non-optional for organizations that want to continue transacting with the payment card networks that make up the PCI SSC. If your business collects, transmits, maintains, or transfers cardholder data, then you are within the scope of PCI compliance - no matter how many (or few) transactions you process.
PCI DSS Compliance Levels
PCI DSS compliance is broken down into categories – merchants and service providers – with different levels based on how many credit card transactions you handle annually. At a high level, guidelines are as follows:
- Level 1: Businesses that process over 6 million card transactions per year across all channels or any business that has had a data breach.
- Level 2: Businesses that process between 1 million and 6 million card transactions per year across all channels.
- Level 3: Businesses that process between 20,000 and 1 million e-commerce card transactions per year.
- Level 4: Businesses that process fewer than 20,000 e-commerce card transactions per year or any business processing up to 1 million regular card transactions per year.
For service providers:
- Level 1: Businesses that process over 300,000 transactions per year (includes Payment Facilitators).
- Level 2: Businesses that process under 300,000 transactions per year.
It’s important to note that while Visa, MasterCard, and American Express all define the levels very similarly, there are minor differences. These become even more pronounced when it comes to American Express and JCB. For example, for American Express, Level 1 is defined as businesses that process more than 2.5 million transactions annually. You can learn more from each card issuer directly.
Achieving PCI Level 1 Compliance
When it comes to PCI compliance for Level 2, Level 3, and Level 4 organizations, companies can validate their compliance status by completing a Self Assessment Questionnaire (SAQ) and signing their own Attestation of Compliance (AOC).
Level 1 PCI compliance, on the other hand, requires that organizations bring in an outside auditor to verify that they’ve fulfilled all 12 PCI DSS requirements.
PCI DSS Level 1 Requirements
For Level 1 merchants and service providers that handle the highest volumes of PCI data, a simple SAQ isn’t enough to validate their compliance. Instead, Level 1 businesses must have a certified PCI auditor verify that they’ve done everything required to attain their PCI DSS certification.
These auditors, referred to as Qualified Security Assessors (QSAs), professionally assess your security systems and processes to certify that you’ve complied with all PCI security standards, resulting in an official Report on Compliance (ROC).
Preparing for this audit process is daunting, but working with a data security partner like VGS can accelerate the journey to your ROC by significantly minimizing PCI compliance scope and simplifying how you handle sensitive PCI data.
VGS Solutions for PCI DSS Level 1 Compliance
Integrating VGS solutions into your business provides you with powerful and useful data management tools, along with peace of mind in knowing that all your sensitive information is safe, secure, and compliant. But what exactly does that entail?
With basic integration of the VGS platform, merchants who must achieve PCI DSS Compliance Levels 2-4 and service providers who must complete Level 2 compliance can almost instantly achieve PCI compliance — by inheriting VGS’ compliance posture.
But how do VGS partners prove they’ve reached full compliance through our data security and routing solutions?
In addition to the ability to accept card payments, VGS customers will receive all the documentation necessary to demonstrate that they are protecting their cardholder data in a PCI compliant fashion. When you integrate with VGS for the first time, all PCI Level 2-4 documentation is automatically generated, including a pre-completed Self Assessment Questionnaire (SAQ).
On top of that, you will also receive our Attestation of Compliance (AOC). This documentation is proof that VGS is a PCI DSS Level 1-4 compliant service provider and includes a letter stating that VGS provides PCI-certified services on your company’s behalf.
But what about merchants who surpass 6 million transactions or service providers who surpass 300,000 transactions requiring Level 1 PCI DSS Compliance?
VGS has streamlined the process for merchants and service providers to achieve PCI Level 1 compliance, fast-tracking your path to full compliance.
Here’s a quick comparison spelling out the various PCI DSS compliance levels and what VGS provides you to achieve compliance:
As your business grows and you begin processing more card transactions, VGS helps you navigate the process to demonstrate compliance to achieve your Level 1 merchant or service provider certification.
Typically, obtaining Level 1 compliance can take 9–12 months. With VGS on the other hand, organizations can achieve PCI Level 1 compliance in as little as 21 days.
By shifting the cardholder data environment (CDE) to VGS entirely, your environment is now out of scope because none of the sensitive data is handled or stored on your systems. Once your integration is complete you can engage a qualified security assessor (QSA) to perform an audit and create a ROC certifying that your business is PCI compliant. We work with your auditor to facilitate the process of obtaining a Report on Compliance (ROC) and help you achieve your PCI Level 1 compliance more quickly and easily.
Ready to Solve PCI Compliance for Good?
We’ve helped hundreds of organizations get and stay PCI compliant, including FinTechs like Even, Unit, and TransferGo; banks like TCB; merchants like Calii and FiveStars; and neobanks like Stilt.