Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
These days, credit card payments are an inseparable part of doing business. In the U.S., consumers conducted more than 250 billion transactions in 2023 with Visa cards alone. In B2B, nearly 80% of small businesses use credit cards. Before your company can benefit from lucrative processing fees, increased sales, or streamlined billing, it must meet strict Payment Card Industry Data Security Standards. The first step is understanding how PCI compliance levels impact your business.
There are four levels of PCI DSS compliance. The elevated data security standards that merchants must follow don’t change between the different PCI compliance levels, but assessment and validation requirements do. Find out more about each category by consulting our in-depth PCI DSS level guides.
Businesses that process fewer than 20,000 online transactions, or 1 million total credit card transactions annually, belong to PCI compliance Level 4. Like other processors, Level 4 merchants must fill out a Self-Assessment Questionnaire. The SAQ outlines current PCI DSS compliance, remediation plans for potential vulnerabilities, and any corrective actions requested.
PCI compliance requirements at this level vary considerably by card issuer, so merchants need to consult with their acquiring banks. For example, Mastercard does not require annual PCI DSS validation for Level 4 merchants as long as the business doesn’t have a recent history of data theft or breaches.
Some card issuers, including Discover and Visa, only maintain three PCI compliance merchant levels, combining Level 3 and Level 4 merchants in one group.
Organizations that process more than 20,000 but fewer than 1 million online transactions a year must adhere to Level 3 PCI compliance standards. The specific requirements vary by acquirer, but in broad strokes, this PCI DSS level usually requires:
Keep in mind that not all card brands and acquiring banks use the Level 3 designation, though the requirements based on transaction volume are often the same. For example, JCB Global divides PCI DSS documentation requirements into just two levels: one for merchants with more than 1 million annual transactions and another for all other merchants.
Merchants that process between one and six million credit card or online transactions annually belong to PCI compliance Level 2. The validation requirements for Level 2 merchants always include the following:
Depending on the organization’s cardholder data environment, PCI DSS scope, and history of cybersecurity, Level 2 merchants may need to meet additional requirements, such as qualified assessments for noncompliance.
The strictest level of PCI validation requirements for merchants, Level 1 PCI compliance applies to organizations that process a high volume of annual transactions. For Visa and Mastercard, the threshold is 6 million online and/or credit card transactions. American Express assigns Level 1 status to any merchant processing over 2.5 million combined transactions.
How do PCI compliance requirements change at Level 1? Instead of (or in addition to) filling out an SAQ, Level 1 merchants must submit an annual Report on Compliance. The RoC is a complex and detailed report on the organization’s PCI framework and program implementation, network defenses, cybersecurity practices, and ongoing PCI DSS compliance.
To obtain a valid RoC, the highest PCI compliance merchant levels require businesses to conduct an onsite assessment. This means hiring an external Qualified Security Assessor or using a PCI SSC-certified Internal Security Assessor for an in-depth audit. Quarterly scans by an ASV are still necessary for all Level 1 merchants.
Service providers have a different set of criteria than merchants for PSS compliance validation. Some card networks require all service providers to undergo strict onsite audits. Others divide service providers into two PCI DSS levels based on transaction volume.
Service providers that handle fewer than 300,000 transactions annually must adhere to Level 2 PCI compliance requirements. This means filling out the SAQ and submitting an annual AoC.
Businesses that process or manage more than 300,000 transactions must meet Level 1 PCI validation standards, conducting an annual audit with a QSA and submitting a RoC. Both groups must carry out four ASV network scans a year.
In addition to looking at annual transaction volume (300,000 or more), Mastercard groups service provider PCI compliance levels based on the type of transactions offered. The following service providers must meet Level 1 PCI DSS requirements regardless of volume:
These organizations must pass an onsite PCI DSS audit once a year performed by a PCI SSC-approved QSA or ISA.
American Express uses the same four PCI compliance merchant levels for service providers:
Level 1 PCI compliance requires an onsite audit and RoC (plus AoC) every year. Other tiers must complete an annual self-assessment and carry out regular network scans.
Adhering to PCI DSS is critical for merchants and service providers. Compliance is vital to serving your clients efficiently and securely. The last thing your organization needs is to fail PCI requirements because of mischaracterizing your merchant PCI compliance level.
Cybersecurity compliance platforms like Compyl can help you accurately measure your PCI DSS scope for auditing purposes and meet the reporting requirements of the right PCI compliance levels cost-effectively. Learn more about Compyl’s powerful PCI DSS compliance features today.
