February 12, 2024
|
MIN Read

How to Find and Meet Your PCI Compliance Level

By
Security Features

It doesn’t matter if you process only a handful of payment card transactions or over a million each year, every organization that stores, processes, and/or transmits payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). 

Yes, non-compliance can lead to expensive and embarrassing penalties, but PCI DSS (with the latest release being v4.0.1) helps shield you from current and future cyber threats. It asks you to use the right processes and tools to close gaps, prevent (or if need be, stop) data breaches, and stay ahead of cyber risks as they evolve

However, the PCI Security Standards Council (PCI SSC) understands that not every business or entity taking in payment card data is the same. That’s why PCI DSS is organized across four different PCI compliance levels, each based on the number of transactions merchants annually process. Understanding which PCI DSS level to follow is crucial to comply correctly and secure your systems effectively against the threats you’re likely to face.

PCI Merchant vs. Service Provider

The first step to understanding your PCI compliance level is to see whether your organization is a merchant or a service provider.

A merchant is a business that accepts credit card payments from any of the five members of the PCI SSC, i.e., Visa, MasterCard, American Express, Discover, and JCB.

A service provider processes, stores, and/or transmits cardholder data on behalf of merchants. While it isn’t a payment card company, it’s accountable under the PCI DSS because it manages its customers’ cardholder data. For example, DataStealth is a PCI DSS Level 1 service provider as we manage our clients’ payment card data across our various solutions. 

PCI DSS further segments merchants and service providers into additional groupings based on the number of transactions they manage each year. 

PCI Merchant Levels 

Merchants follow one of the four PCI DSS levels based on their annual transactions.

The reporting requirements for each PCI compliance level can differ. For example, the PCI SSC requires Level 1 merchants to get a third-party audit and report on compliance (RoC). 

Level 2, 3, and 4 merchants can submit a self-assessment questionnaire (SAQ) and attestation of compliance (AoC). However, the SAQ they need to submit can vary based on what data they manage; the more cardholder data they keep, the heavier the compliance weight.

PCI Compliance Level 1 

Level 1 merchants process over 6 million payment card transactions annually. This PCI DSS compliance tier has the strictest reporting requirements. 

Assessment Requirements

Every year, Level 1 merchants must get an outside qualified security assessor (QSA) to audit their systems and provide both a RoC and AoC.

Testing Requirements

In addition, Level 1 merchants also need to carry out two key tests of their systems: quarterly network scans and annual penetration tests by approved scanning vendors (ASV). 

Finally, a merchant from a different PCI DSS tier may need to follow Level 1 requirements if they suffered a breach that led to the theft or compromise of cardholder data. 

PCI Compliance Level 2 

Level 2 merchants process between 1 million to 6 million payment card transactions a year. 

Assessment Requirements

As of 2021, Level 2 merchants no longer need to undergo annual QSA-led audits nor do they need to submit RoCs. Rather, they can complete an SAQ and submit AoCs on their own. They must also undergo annual penetration testing. 

The SAQ could vary from SAQ A (24 questions) to SAQ D (328 questions). The applicable SAQ depends on how the merchant is managing its payment card data and card transactions. 

For example, a merchant that outsources all their payment processing to a PCI DSS-compliant third-party service provider (TPSP), does not store/process/transmit cardholder data from their systems or premises and accepts only card-not-present transactions can complete an SAQ A. 

On the other hand, a merchant that manages cardholder data in their systems, or operates in a higher-risk environment, or does not qualify for the other SAQs would have to fill an SAQ D. It’s the most comprehensive SAQ questionnaire and covers all PCI DSS requirements.

Some solutions on the market, like DataStealth’s PCI Audit Scope Reduction, can help move you from a SAQ-D to a less comprehensive compliance level.

Level 2 merchants don’t need to undergo audits, except if they suffered from a breach that had compromised their cardholder data. In this case, they may need to submit a QSA-led RoC. 

Testing Requirements

Like Level 1 merchants, Level 2 merchants must undergo quarterly network scans and annual penetration tests by an ASV.

PCI Compliance Level 3 

Level 3 merchants process between 20,000 to 1 million transactions a year. 

Assessment Requirements

Like Level 2 merchants, Level 3 merchants just need to complete an SAQ and submit an AoC. 

Testing Requirements

Level 3 merchants don’t need to undergo annual penetration testing. They just need to carry out quarterly network scans through an ASV.

PCI Compliance Level 4 

Level 4 merchants process less than 20,000 transactions annually. Many small businesses tend to fall under Level 4. 

Assessment Requirements

Level 4 merchants have the least stringent reporting requirements. They only need to complete a SAQ and carry out quarterly network scans via an ASV. Depending on their circumstances, a Level 4 merchant may not always need to submit an AoC. 

PCI DSS Service Provider Levels

PCI DSS service provider levels are categorized based on the number of card transactions the organization manages for its clients.

Level 1 

Level 1 service providers manage (be it storing, processing, or transmitting) over 300,000 card transactions per year. Like a Level 1 merchant, a Level 1 service provider must go through QSA or ISA-led audits with a resulting RoC and AoC. Likewise, Level 1 service providers also need to carry out annual penetration testing and quarterly network scans by an ASV.

Level 2 

Level 2 service providers manage fewer than 300,000 payment card transactions a year. They’ll need to complete a SAQ-D for Service Providers and submit an AoC. Level 2 service providers must also get ASVs to carry out annual penetration testing and quarterly network scans.

What’s Your PCI DSS Compliance Level?

Your PCI DSS compliance level is based on the number of transactions your organization has processed in the past 52-week period. You may also need to ask your bank and payment card partner(s) for additional guidance on what PCI DSS level you should follow. 

That said, if you’re a Level 2 or Level 3 merchant, you may have a few opportunities to lighten or streamline your PCI DSS compliance requirements.

For example, if you’re completing SAQ Ds, you could leverage certain solutions to lower your requirements for SAQ A-EPs. That would lower the number of requirements to check from 252 to 151, a significant reduction of assessment areas. 

Moreover, it’s now very important to keep an eye on whether you collect payments online via a webpage. Starting March 31st, 2025, PCI DSS requirements 6.4.3 and 11.6.1 will go from being best practices to mandatory. Even if you rely on a TPSP to manage online payments, you might still be accountable depending on how your overall system works. Check out our post on how to comply with these requirements to see where you could land.

Again, the right tools and support can help streamline your compliance efforts and make it less overwhelming or unwieldy by the time of your next annual audit. 

For More Guidance on PCI DSS Compliance, See:

PCI DSS Level FAQs 

What are the 4 PCI DSS Compliance Levels?

For merchants, the four PCI DSS compliance levels are as follows:

  • Level 1: Over 6 million payment card transactions per year
  • Level 2: 1 million to 6 million payment card transactions per year
  • Level 3: 20,000 to 1 million payment transactions per year
  • Level 4: Less than 20,000 payment card transactions per year

For service providers, there are two PCI DSS compliance levels. Level 1, which requires a RoC and AoC, applies to providers processing over 300,000 transactions a year for their customers. Level 2 providers process less than 300,000 transactions annually and submit a SAQ.

What is the Difference Between PCI DSS Level 2 and 3?

Level 2 and Level 3 merchants are differentiated based on the merchant’s annual payment card transactions. Merchants processing 1 million to 6 million transactions must follow Level 2, while those processing 20,000 to 1 million follow Level 3.

The main difference in compliance requirements is that Level 3 merchants must undergo annual penetration testing in addition to quarterly network scans. Level 2 merchants only need to carry out quarterly network scans. Otherwise, both can submit an SAQ and AoC. 

Most Recent Blog Articles:
View All -->
Company
HomeISP Services
Project RescueAbout UsContact
Site Map
HomeAboutSupportBlogQSA Partner Program
Solutions
Data Discovery and Classification
Dynamic Data Masking
Data TokenizationTest Data Management
PCI Audit Scope Reduction
PCI Tamper Detection and Protection
Compliance to Requirements
6.4.3 and 11.6.1
Contact
info@datastealth.io
+1 (855) 553-2839
DataStealth Inc.
5995 Avebury Rd
Suite 600
Mississauga ON L5R 3P9
Follow us
InstagramTwitterLinkedinFacebook

©  2025  DataStealth Inc. All Rights Reserved.

Privacy Policy