Four Levels of PCI Compliance

Comprehensive Guide to the Four Levels of PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is the fundamental security protocol for credit card transaction merchants. To collaborate with leading credit card companies, merchants are required to adhere to these standards to maintain PCI compliance. The PCI DSS specifies four levels of compliance, which are determined based on the volume of transactions a merchant processes annually.

Merchants must identify their applicable compliance level and conduct necessary assessments, audits, and reporting. This article will explore the different levels of PCI compliance and highlight key aspects of compliance reporting.

Understanding the Four Levels of PCI Compliance

Understanding the Four Levels of PCI Compliance

PCI DSS, or Payment Card Industry Data Security Standard, is a set of guidelines and obligations designed to ensure companies handling credit card information maintain a secure environment. This is crucial for any business size to minimize the risk of card data breaches. PCI DSS provides a framework for securely managing credit card numbers and payment data during e-commerce transactions, covering everything from collecting and storing to transmitting cardholder information. There are 12 requirements under PCI DSS that merchants and service providers must fulfill to collaborate with major credit card companies.

These standards were developed by the PCI Security Standards Council (PCI SSC), established by major credit card companies, including Discover Financial Services, American Express, Mastercard, JCB International, and Visa. The council sets these data security standards and continuously updates and promotes them to enhance payment card data security and prevent fraud. The PCI SSC also offers various resources to implement these standards, such as tools for scanning and assessments, training programs, self-assessment questionnaires, and certification of compliance products.

The Four Levels of PCI Compliance:

  • Level 1: It applies to organizations processing over six million transactions per year. This level typically includes major credit card issuers, large financial institutions, and other entities handling high volumes of transactions.
  • Level 2: Targets organizations that process between one and six million transactions annually, encompassing mid-sized businesses with significant transaction volumes but not at the highest scale.
  • Level 3: Includes organizations that handle 20,000 to one million e-commerce transactions annually. These are generally smaller e-commerce operations with moderate transaction volumes.
  • Level 4: This level is for organizations processing fewer than 20,000 e-commerce transactions and up to one million transactions via other channels annually. It most applies to small businesses, local retailers, and service providers with smaller transaction volumes.

How Does it Work?

Maintaining the security of customer payment information is of utmost importance for any business that processes online credit card transactions. This is where PCI compliance comes into play, which entails a set of security measures such as point-to-point encryption, multi-factor authentication, and robust password protocols. Although not legally mandated, payment service providers often require these security standards to be implemented in the merchant agreements to ensure the safety of sensitive payment information.

It’s worth noting that the PCI security standards are uniform across all payment card companies, but the criteria for achieving specific compliance levels may differ. Payment card companies have their own PCI compliance tiers, which are based on the annual volume of online transactions and business processes. These tiers dictate the depth of audits required and the level of stringency for the security measures that must be implemented.

What are the PCI Compliance Levels?

What are the PCI Compliance Levels?

PCI compliance is categorized into four levels, determined by a merchant’s annual volume of credit card transactions. Each level mandates specific actions that merchants must undertake to meet compliance requirements.

PCI Merchant Level 1 Compliance

PCI Level 1 compliance applies to merchants processing over 6 million card transactions annually, typically involving large corporations operating across multiple regions. Transactions across all channels, including card-present, card-not-present, and e-commerce, contribute to the compliance requirements.

Among the four PCI compliance levels, Level 1 is unique in that it mandates an external audit by a third-party auditor. This audit is conducted by a Quality Security Assessor (QSA) or an Internal Security Assessor, who are professionals designated by the PCI Security Standards Council (PCI SSC). The QSA conducts a comprehensive on-site evaluation of the merchant’s practices to verify compliance with PCI standards.

During the audit, the QSA will outline its scope, examine the organization’s documentation and data storage practices, and ultimately determine the merchant’s compliance status. The findings from this thorough review are documented in a Report on Compliance (ROC).

Additionally, Level 1 merchants must conduct network scans quarterly. These scans are less detailed than the annual audit and are performed by Approved Scanning Vendors (ASVs). Although these scans are typically conducted remotely, they serve as important periodic checks on the network’s security status.

Lastly, Level 1 merchants are required to complete an Attestation of Compliance form. This form allows merchants to articulate their compliance on their own terms, offering a self-reported summary of their security posture. Unlike the external audit, the attestation is prepared internally by the organization’s own staff.

PCI Merchant Level 2 Compliance

Organizations processing between 1 and 6 million transactions per year, such as small to medium enterprises (SMEs) operating in active trade areas or across state or provincial lines, fall under PCI DSS Compliance Level 2.

Unlike Level 1, Level 2 merchants are not required to undergo an external audit but must complete an internal evaluation using the Self-Assessment Questionnaire (SAQ) provided by the PCI Security Standards Council (PCI SSC). This allows Level 2 merchants to assess and document their adherence to PCI DSS requirements themselves.

While Level 2 merchants do not need a Quality Security Assessor (QSA), they must still demonstrate full implementation of all PCI compliance guidelines. Like Level 1 merchants, they are required to conduct quarterly vulnerability scans. These scans help identify and address potential vulnerabilities within the network infrastructure, enhancing the organization’s security posture.

Additionally, Level 2 compliance involves establishing comprehensive security policies and processes. These should cover incident response, encryption, and access control records to protect sensitive data during transmission and storage. Strict access controls must also be enforced, limiting access to cardholder data to those with a legitimate need to know and ensuring that only authorized individuals can access sensitive information.

Employees should receive regular security awareness training to stay informed about the latest security practices and procedures. Although the scrutiny for Level 2 compliance may not be as intense as for Level 1, maintaining a robust security posture is imperative to protect the privacy and integrity of credit card transactions and to minimize the risk of data breaches and unauthorized access to sensitive data.

PCI Merchant Level 3 Compliance

A PCI-DSS Level 3 merchant processes between 20,000 and 1 million transactions annually. The requirements for this level are akin to those of Level 2. Interestingly, JCB International does not differentiate between Levels 2 and 3; it classifies all entities processing over 20,000 transactions as Level 2 organizations. Excluding this classification, Level 3 merchants are required to complete Self-Assessment Questionnaires (SAQs) to demonstrate their compliance with the relevant PCI-DSS standards.

In terms of compliance controls and testing, Level 3 companies must engage approved vendors to perform quarterly network scans. These scans are critical for identifying security vulnerabilities, which must be addressed promptly. While penetration testing is considered a best practice for enhancing security, it is not mandatory for Level 3 merchants under PCI-DSS guidelines.

PCI Merchant Level 4 Compliance

PCI DSS Compliance Level 4 is designated for merchants processing fewer than 20,000 e-commerce transactions per year and all other merchants processing up to 1 million Visa transactions annually, such as small local businesses.

In contrast to the more stringent requirements of higher compliance levels, Level 4 merchants are not required to undergo formal audits, submit Reports on Compliance (ROC), or provide Attestation of Compliance (AOC) forms.

The primary compliance obligations for Level 4 organizations involve adhering to the PCI requirements set by their banks. These typically include engaging only Qualified Integrators and Resellers (QIRs) to install, integrate, and service point-of-sale (POS) systems and applications. Level 4 merchants must also complete an annual Self-Assessment Questionnaire (SAQ) and conduct quarterly network scans with an Approved Scanning Vendor (ASV).

Requirements for PCI Compliance

Requirements for PCI Compliance

Achieving PCI DSS compliance requires businesses to successfully fulfill all 12 specified security standards. These 12 primary requirements encompass a wide range of security measures, including firewalls, antivirus software, and strong password protocols.

Each main requirement is further broken down into sub-requirements, which can be particularly challenging for smaller organizations to meet without expert assistance. Here are the 12 requirements for PCI DSS compliance:

  • Firewall Installation and Maintenance: Set up and sustain a firewall configuration to shield cardholder data by regulating incoming and outgoing network traffic according to established security rules.
  • Proper Password Protections: Refrain from using vendor-supplied default settings for system passwords and other security parameters. Implement robust password policies and periodically change them.
  • Protection of Stored Cardholder Data: Limit the retention of cardholder data and employ strong encryption, truncation, masking, and hashing to safeguard it.
  • Encryption of Transmitted Cardholder Data: Secure cardholder data during transmission over open networks to prevent interception and unauthorized access.
  • Use of Antivirus and Anti-malware Software: Consistently update and maintain antivirus and anti-malware software to protect against threats to the security of cardholder data.
  • Maintain Secure Systems and Applications: Keep systems and applications secure by routinely updating and patching them, and eliminating any known vulnerabilities.
  • Restrict Data Access to a Need-to-Know Basis: Only allow access to cardholder data to individuals whose roles require it.
  • Assign a Unique ID to Each Person with Access to Data: To facilitate the monitoring of their activities, assign each person with computer access to cardholder data a unique ID.
  • Restrict Physical Access to Cardholder Data: Ensure the physical security of cardholder data to prevent unauthorized access.
  • Track and Monitor All Access to Network Resources and Cardholder Data: Utilize logging mechanisms and regularly review logs to detect and address potential security threats.
  • Regular Testing of Security Systems and Processes: Periodically test security systems and processes to confirm the effectiveness of protective measures.
  • Maintain an Information Security Policy: Create, sustain, and communicate a comprehensive security policy that outlines the protocols for securing cardholder data.

Given the complexity and range of these requirements, establishing a PCI-compliant security infrastructure is often a formidable challenge for small to medium-sized businesses. It is not uncommon for these businesses to hire additional engineers to support their in-house resources.

Each of these requirements involves varying costs and timeframes for successful implementation, making it essential for organizations to plan and allocate resources accordingly.

Cost Factors for PCI Compliance

The expenses associated with compliance can differ significantly based on your business’s level of operations. For example, a Level 4 business might incur several thousand dollars annually in compliance costs. These expenses could cover hiring a compliance officer, acquiring compliance software, and performing regular audits. As your business ascends to a higher tier, the costs associated with maintaining compliance will likely increase, mainly if more comprehensive measures are necessary to ensure your business’s management capabilities.

This cost escalation might involve investments in specialized training and certification programs or the addition of staff dedicated to managing compliance tasks. Ultimately, the total cost of compliance will vary depending on your business’s size and complexity and the particular regulations relevant to your industry.

The exact cost of achieving PCI compliance varies significantly based on several factors related to your organization’s setup:

  • Business Type: Whether you’re a Level 1 merchant, a large franchise, a service provider, or a small mom-and-pop shop, each type of business has different levels of cardholder data, environmental structures, and associated risks. These differences necessitate tailored compliance measures, affecting overall costs.
  • Organization Size: Larger organizations generally face more potential compliance challenges. More employees, processes, programs, computers, cardholder data volumes, and departments contribute to increased compliance costs.
  • Security Culture: Your upper management’s emphasis on data security can also influence costs. If data security is a priority, investing in it may not face much internal resistance. Conversely, if management is reluctant to allocate a budget due to a lack of understanding of the security liabilities, this can complicate compliance efforts.
  • Dedicated PCI Staff: While having a team dedicated to PCI compliance is beneficial, most organizations still require external consultancy to navigate the complexities of PCI requirements effectively.
  • Support from Acquirers: In some cases, acquiring banks may collaborate with PCI DSS vendors to cover compliance costs for their smaller merchants, although this practice is relatively rare.

Understanding these variables will help estimate the financial investment necessary for maintaining compliance with PCI standards.

What are the Costs of PCI Non-Compliance?

PCI non-compliance fines can start at $5,000 and may escalate to as high as $500,000 per incident involving significant data security breaches. The exact amount of these fines varies based on the PCI controls’ effectiveness and, in cases where a breach occurs, whether the breach was directly linked to a failure in those controls.

Merchants face potential additional penalties in addition to these fines. Banks and payment processors might terminate their relationships with non-compliant merchants, increase per-transaction fees, or demand that the merchant cover the cost of replacing payment cards compromised in a breach. Furthermore, a breach may compel a merchant to meet higher compliance standards, which can be more stringent and costly.

Regulations also require that individuals affected by a data breach be notified in writing to monitor for possible fraudulent activity on their accounts. It’s impossible to downplay such a breach of trust quietly.

Given these compounded financial and regulatory consequences, the total costs incurred from a single data breach can dramatically exceed the initial fines, potentially leading to severe financial impacts for businesses of any size.


Steering through the complex landscape of PCI compliance is crucial for businesses that process credit card transactions. The compliance levels, ranging from Level 1 for high-volume merchants to Level 4 for smaller businesses, outline specific requirements and obligations. Adherence to PCI DSS standards helps safeguard sensitive customer data and mitigates the risk of reputational damage, costly liabilities, and chargebacks. Each level has unique responsibilities, such as external audits for Level 1 merchants and self-assessments for Level 4.

Understanding the nuances of these compliance levels, comprehensive security measures, and regular assessments is essential for businesses to maintain PCI compliance effectively. Failure to do so can result in substantial financial penalties, reputational harm, and regulatory repercussions, underscoring the importance of prioritizing PCI compliance within any organization’s operational framework.

Frequently Asked Questions

  1. What are the different levels of PCI compliance, and how are they determined?

    PCI compliance levels depend on annual credit card transaction volumes: Level 1 for over 6 million, Level 2 for 1 to 6 million, Level 3 for 20,000 to 1 million, and Level 4 for fewer than 20,000 transactions. These thresholds guide the level of security measures needed​.

  2. What are the primary requirements for each level of PCI compliance?

    Level 1 needs an annual Report on Compliance (ROC), quarterly network scans, and a formal Attestation of Compliance (AOC). Level 2 requires an annual Self-Assessment Questionnaire (SAQ), similar to Level 3, tailored for smaller transaction volumes, while Level 4 typically demands an SAQ and quarterly scans​.

  3. How does a business determine its PCI compliance level?

    Businesses determine their PCI compliance level by reviewing annual transaction volumes across all payment channels. They can conduct internal audits or consult their acquiring bank or payment service provider for accurate assessment​.

  4. What is the importance of maintaining PCI compliance for all levels?

    Maintaining PCI compliance safeguards cardholder data, reduces data breach risks, and ensures adherence to industry standards. Non-compliance can lead to fines, damage to reputation, and legal issues, making it crucial for businesses to meet security requirements​.

Save Time, Money, & Resources

Categories: PCI DSS Compliance, Small Business and Entrepreneurs

Get Started

Ready for the ultimate credit card processing experience? Fill out this form!

Contact HMS

Ready for the ultimate credit card processing experience? Ask us your questions here.