Whether your business processes 10 card transactions per year or 10 million, you’re required to comply with PCI DSS.
The more card transactions you process, the more risk there is for potential data breaches and security incidents. To help address this, the Payment Card Industry Data Security Standard (PCI DSS) categorizes businesses into PCI compliance levels.
Understanding what compliance level your business falls under is a crucial first step in your PCI compliance journey. Your level will dictate your reporting requirements and serve as a roadmap for compliance.
Below, we break down the criteria to help you determine your PCI compliance level.
PCI merchant vs. service provider
Before determining your PCI DSS level, you must identify which category your business falls into: merchant or service provider.
Merchants are businesses that accept card payments from any of the five members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa).
Service providers are not card payment brands, but can be directly involved with the processing, storage, and transmission of cardholder data on behalf of a merchant, generally impacting the security of their customers' cardholder data.
Service providers also include companies that provide services that could impact the security of cardholder data. Examples of service providers include managed service providers that offer managed firewalls and hosting providers.
The payment card brands split merchants and service providers into different reporting levels based on the number of transactions they handle in a given year. Let’s take a look at the levels for each group below.
PCI merchant levels
For merchants, there are generally four PCI DSS compliance levels starting with Level 4 and working up to Level 1.
- PCI Level 1: Businesses processing over 6 million card transactions per year
- PCI Level 2: Businesses processing 1 million to 6 million card transactions per year
- PCI Level 3: Businesses processing 20,000 to 1 million card transactions per year
- PCI Level 4: Businesses processing fewer than 20,000 card transactions per year
Each PCI compliance level could have a different set of reporting requirements, with Level 4 requiring a self attestation and Level 1 requiring a third-party audit.
PCI Level 1
Level 1 merchants process over 6 million card transactions per year. This level of PCI compliance undergoes the most stringent reporting requirements of the four levels.
Rather than completing a self-assessment questionnaire (SAQ), Level 1 merchants must complete an annual Report on Compliance (RoC).
To complete an RoC, a business will work with a third-party Qualified Security Assessor (QSA). The QSA will conduct a rigorous audit that examines whether a business has effectively met the PCI DSS requirements and compile their findings in an RoC. These audits must take place on an annual basis.
In addition to the RoC, Level 1 merchants must undergo two types of testing: quarterly network scans and annual penetration testing.
Level 1 audits also include an Attestation of Compliance (AoC) form. This document states that the business has complied with the requirements of the PCI DSS standard and is signed off by the QSA.
It’s also very important to note that any merchant who has suffered a data breach that resulted in cardholder data being compromised can be placed in Level 1 by their acquiring banks or requesting parties.
PCI Level 2
Level 2 merchants process 1 million to 6 million card transactions per year. These merchants are not required to undergo an annual QSA-led report on compliance audit. Instead, they’ll fill out an SAQ. It is possible you would be required to have a third-party QSA firm attest against this SAQ at PCI Level 2.
An SAQ contains a series of self-guided questions that assess your PCI compliance. There are eight types of SAQs, and the one you complete depends on whether you are a service provider or merchant and what type of merchant you are.
For example, an ecommerce merchant that processes card-not-present transactions and utilizes a third party to redirect the ingestion of cardholder data would fill out an SAQ A. An ecommerce merchant that collects cardholder data over their managed application and transmits this data to a third party would complete an SAQ A-EP.
The number of questions vary by SAQ type. SAQ A is the shortest with 24 questions, whereas SAQ D contains 328 questions.
PCI Level 3
Level 3 merchants process 20,000 to 1 million transactions per year. Merchants in this level are required to complete an SAQ for their business including applicable ASV scanning and penetration testing requirements.
They’re also required to conduct quarterly scans by an ASV and complete an AoC.
PCI Level 4
Level 4 merchants process fewer than 20,000 transactions per year and have the least stringent reporting requirements of all four compliance levels. Small businesses often fall into this compliance category and only require an SAQ including applicable ASV scanning and penetration testing requirements.
Service provider levels
Like merchants, service providers are also broken down into compliance levels based on the cardholder data transaction amount they impact or the requirements of their customers.
Level 1 service providers store, process, transmit, or have an impact on more than 300,000 card transactions per year.
Similar to a Level 1 merchant, Level 1 service providers must undergo an annual audit led by a QSA. Once the audit is completed, the QSA will issue an RoC.
Level 1 service providers must also complete annual penetration testing, quarterly network scans by an ASV, and an AoC form.
Level 2 service providers store, process, transmit, or have an impact on fewer than 300,000 card transactions per year.
This level must complete an SAQ D for Service Providers and an AoC form to prove PCI compliance. It is possible at this level that customers would require the SAQ to be attested by a QSA. Level 2 service providers also need to perform annual penetration testing and conduct quarterly network scans by an ASV.
How to determine your PCI DSS compliance level
You can determine your PCI DSS compliance level by checking your card transaction volume for the most recent 52-week period and communicating with your acquiring bank or customers regarding their PCI requirements for your business.
Card payment brands each have their own standard criteria for compliance levels, but all are generally similar to the above thresholds.
If you have trouble accessing your transaction volume information or want confirmation on your compliance level, you can contact the card payment brand(s) you accept, your acquiring bank, customers, or whichever organization is requesting PCI DSS compliance from your business.