Skip to content

PCI Compliance Levels Explained

Each party related to processing, storing, or transmitting cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS) administered by the Payment Card Industry Security Standards Council. It offers merchants a comprehensive framework for identifying and tackling payment card data security risks. The Standard makes merchants accountable for making their business environment secure and for business policies (or their absence) and any actions that can lead to a data breach.

While the PCI Council doesn’t check every business for PCI compliance, non-compliance can lead to severe consequences. In case a data breach happens, and it’s discovered that the company didn’t comply with the regulations at that moment, it will be liable for heavy fines and face reputational damage.What is PCI DSS?

PCI DSS is a pack of requirements set to ensure that all organizations dealing with credit card data provide a secure environment. The PCI DSS came into action on 7 September 2006. It is managed by the PCI Security Standards Council (PCI SSC), an independent body founded by MasterCard, Visa, American Express, Discover, and JCB.

The PCI compliance levels

Four PCI compliance levels are based on the merchants’ annual card transaction volumes.

  • Level 1: over 6M transactions per year
  • Level 2: 1M to 6M transactions per year
  • Level 3: 20K to 1M transactions per year
  • Level 4: less than 20K transactions per year

In addition, if a merchant experiences a breach that leads to account data compromise, their business may be escalated to a higher compliance level. Merchants can identify their PCI compliance level and ensure compliance by partnering with PCI compliance providers.

PCI Level 1

Level 1 of PCI compliance applies to businesses processing more than 6M card transactions annually. While other levels only mandate filling out a Self-Assessment Questionnaire (SAQ), Level 1 of PCI compliance requires annual reports prepared by a qualified security assessor (QSA) or an internal security assessor (ISA). Merchants that have suffered a data breach compromising payment card data are also liable to an external audit, even if they don’t belong to Level 1 merchants.

Next, Level 1 businesses must have quarterly scans of their networks performed by an approved vendor, including servers, computers, cloud, etc. Moreover, they need to have a penetration test (also known as a pen test) performed at least once a year. This is a simulated cyber attack aimed at checking your systems for exploitable vulnerabilities.

For the Level 1 PCI audit, you’ll have to provide an Attestation of Compliance (AOC) form stating that you have complied with the PCI DSS requirement.

PCI Level 2

You’re a PCI Level 2 merchant if you process from 1M to 6M monthly credit card transactions. Businesses classified as PCI Level 2 merchants are not subject to any audits, except if they suffer from a data breach or your acquiring bank views it as necessary.

Level 2 merchants need to fill out a Self-Assessment Questionnaire, have a quarterly scan of their networks done by an approved vendor, and complete an Attestation of Compliance (AOC). In addition, PCI Level 2 merchants must do an annual penetration test. However, keep in mind that service providers are subject to biannual penetration tests (PCI Requirement

PCI Level 3

Merchants processing 20K to 1M transactions annually belong to Level 3 of PCI compliance. Similar to Level 2 merchants, to stay PCI Level 3 compliant, you need to complete an SAQ, conduct network scans on a quarterly basis, and present an attestation compliance form. However, this level doesn’t require penetration tests.

PCI Level 4

This PCI compliance level applies to any merchant processing fewer than 20K eCommerce transactions annually and all other merchants, no matter the acceptance channel, processing up to 1M Visa transactions per year. PCI Level 4 merchants aren’t required to do audits or submit ROC, and may not even need AOC forms. Level 4 organizations are only subject to completing an annual Self Assessment Questionnaire (SAQ) and performing quarterly network scans.

What is SAQ?

A PCI SAQ, or Self-Assessment Questionnaire, is a merchant’s statement of PCI compliance, validating that the merchant is taking the necessary measures to secure cardholder data. Filling out a PCI Self-Assessment Questionnaire is part of the compliance process. It involves answering several yes/no questions concerning PCI DSS requirements. There are different types of SAQ. The type you need to submit depends on your level and how you process payment card data.

  • SAQ A — for organizations completely outsourcing their card data processing to third parties, including eCommerce transactions and mail/phone order merchants.
  • SAQ A-EP — for eCommerce merchants outsourcing only their payment processing.
  • SAQ B —for eCommerce businesses not obtaining cardholder data but controlling the way of forwarding it to third-party payment processors.
  • SAQ B-IP — for merchants not storing payment card data in electronic form but using IP-connected point-of-interaction devices.
  • SAQ C-VT — for organizations handling cardholder data through a virtual payment terminal rather than a computer system.
  • SAQ C — for those with payment processing systems connected to the Internet.
  • SAQ D — for merchants not covered by types A–C of SAQ.
  • SAQ P2PE — for organizations applying point-to-point encryption, not applicable to eCommerce merchants.

Final thoughts

Regardless of which PCI compliance level your organization falls into or what type of merchant you are, staying PCI compliant should be one of your major priorities. Secure systems translate into greater customer trust and improve your reputation with payment brands. More importantly, PCI compliance helps prevent data breaches and strengthens corporate security strategies.

The article "PCI Compliance Levels Explained" is written by Mic Johnson

Subscribe to our blog.

Receive the latest information when you subscribe to our blog.