The 4 PCI Compliance Levels Explained

The 4 PCI Compliance Levels Explained

  • June 09, 2022

Whether your business processes 10 card transactions per year or 10 million, you’re required to comply with PCI DSS. 

The more card transactions you process, the more risk there is for potential data breaches and security incidents. To help address this, the Payment Card Industry Data Security Standard (PCI DSS) categorizes business into PCI compliance levels. 

Understanding what compliance level your business falls under is a crucial first step in your PCI compliance journey. Your level will dictate your reporting requirements and serve as a roadmap for compliance. 

Below, we break down the criteria to help you determine your PCI compliance level.

Quick review: What is PCI DSS compliance?

PCI DSS is mandated by credit card companies to keep customer data secure. The standard provides instructions for how to capture, transmit, and store cardholder data. 

PCI DSS applies to any company that accepts card payments. It also applies to any organization that can impact the security of payment card transactions, such as a web hosting company or payment gateway.

PCI merchant vs. service provider

PCI DSS splits businesses into two categories: merchants and service providers. 

Merchants are businesses that accept card payments from any of the five members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa). 

Service providers are not card payment brands, but are directly involved with the processing, storage, and transmission of cardholder data on behalf of a merchant. 

Service providers also include companies that provide services that could impact the security of cardholder data. Examples of service providers include managed service providers that offer managed firewalls and hosting providers.

The 4 PCI DSS compliance levels

PCI DSS splits merchants and service providers into different reporting levels based on the number of transactions they handle in a given year. 

For merchants, there are four PCI DSS compliance levels starting with Level 4 and working up to Level 1. 

  • PCI Level 1: Businesses processing over 6 million card transactions per year
  • PCI Level 2: Businesses processing 1 million to 6 million card transactions per year
  • PCI Level 3: Businesses processing 20,000 to 1 million card transactions per year
  • PCI Level 4: Businesses processing fewer than 20,000 card transactions per year

Each PCI compliance level has a different set of requirements, with Level 4 being the least stringent and Level 1 being the most stringent.

PCI Level 1 

Level 1 merchants process over 6 million card transactions per year. This level of PCI compliance undergoes the most stringent reporting requirements of the four levels. 

Rather than completing a self-assessment questionnaire (SAQ), Level 1 merchants must complete an annual Report on Compliance (RoC)

To complete an RoC, a business will work with a third-party Qualified Security Assessor (QSA). The QSA will conduct a rigorous audit that examines whether a business has effectively met the PCI DSS requirements and compile their findings in an RoC. These audits must take place on an annual basis. 

In addition to the RoC, Level 1 merchants must undergo two types of testing: quarterly network scans and annual penetration testing.

Level 1 merchants must also complete an Attestation of Compliance (AoC) form. This document states that the business has complied with the requirements of the PCI DSS standard. 

It’s also very important to note that any merchant who has suffered a data breach that resulted in cardholder data being compromised can be placed in Level 1 by the PCI SSC.

PCI Level 2

Level 2 merchants process 1 million to 6 million card transactions per year. These merchants are not required to undergo an annual QSA-led audit. Instead, they’ll fill out an SAQ. 

An SAQ contains a series of self-guided questions that assess your PCI compliance. There are eight types of SAQs, and the one you complete depends on whether you are a service provider or merchant and how you process payments. 

For example, an e-commerce merchant that processes card-not-present transactions would fill out an SAQ A. A merchant that outsources payment processing to PCI DSS compliant third parties would complete an SAQ A-EP. 

The number of questions vary by SAQ type. SAQ A is the shortest with 24 questions, whereas SAQ D contains 328 questions. 

PCI Level 3

Level 3 merchants process 20,000 to 1 million transactions per year. Merchants in this level are required to complete the applicable SAQ for their business. 

They’re also required to conduct quarterly scans by an ASV and complete an AoC. 

Unlike Levels 1 and 2, Level 3 merchants do not need to conduct annual PCI penetration testing. However, penetration testing is still recommended, as it offers a wide variety of security benefits. 

PCI Level 4

Level 4 merchants process fewer than 20,000 transactions per year and have the least stringent reporting requirements of all four compliance levels. Small businesses often fall into this compliance category. 

They must complete the applicable SAQ, conduct quarterly network scans by an ASV, and complete an AoC.

Service provider PCI compliance levels

Like merchants, service providers are also broken down into compliance levels based on the amount of cardholder data they store, process and/or transmit, or impact. 

Level 1 

Level 1 service providers store, process, transmit, or have an impact on more than 300,000 card transactions per year. 

Similar to a Level 1 merchant, Level 1 service providers must undergo an annual audit led by a QSA. Once the audit is completed, the QSA will issue an RoC. 

Level 1 service providers must also complete annual penetration testing, quarterly network scans by an ASV, and an AoC form. 

Level 2

Level 2 service providers store, process, transmit, or have an impact on fewer than 300,000 card transactions per year. 

This level must complete an SAQ D for Service Providers and an AoC form to prove PCI compliance. Level 2 service providers also need to perform annual penetration testing and conduct quarterly network scans by an ASV.

How to determine your PCI compliance level

You can determine your PCI compliance level by checking your card transaction volume for the most recent 52-week period.

Card payment brands have standardized the criteria for compliance levels across the board. So if you process 2 million credit card transactions in a year, you’ll be considered a Level 2 merchant by Visa, American Express, and all other major card payment brands. 

If you have trouble accessing your transaction volume information or want confirmation on your compliance level, you can contact the card payment brand(s) you accept or your acquiring bank.

How Secureframe can streamline your PCI compliance process 

Whether you’re a Level 1 or Level 4 merchant, PCI compliance involves a lengthy process and numerous reporting requirements. 

Secureframe can help lift the burden of compliance from the shoulders of your team. Our PCI experts will help get you audit-ready so you can achieve and maintain PCI compliance.

Ready to get started? Request a demo today to learn more about how we can help.