Security compliance Designing security programs PCI DSS

Video | What are the 4 PCI DSS levels?

The four PCI DSS compliance levels explained

The four PCI standards — more commonly referred to as the four PCI DSS compliance levels — are an important component of the PCI DSS certification process.

In this post, we’ll take a look at the ins and outs of PCI DSS Levels 1, 2, 3, and 4 and how you can comply with each depending on your unique business situation.


Justin: So you mentioned the concept of tier, and so this probably gets into like, how is an audit or an assessment conducted for PCI DSS. This is one of my top three questions for any standard we come across. How do they specify the testing? Tell us a little bit about what you've learned about that.

Sam: Sure, absolutely. So for organizations, or merchants is what they call it in PCI, similar as if you were to call a service provider, it's still a merchant, even if they're not the one storing the credit card information. So there's four different levels. And so level one is the highest risk. So those are your large global, those are your PayPals, your WhatsApp, any of the ones that are actually storing and processing themselves. So level one is the riskiest. And so this is any merchant that has over 6 million Visa transactions.

Justin: So I'm going to describe companies that I think fall into this bucket. If you're a FinTech organization, and you are trying to connect, let's say you're billing a FinTech platform, a processing platform, and you want to connect a bunch of merchants to a bank, i.e Let's say you are Stripe. This is the highest level of compliance. You need to do this level one level of compliance. Is that right?

Sam: Absolutely.

Justin: Okay. Great. All right. Who's our level twos.

Sam: Yeah. So the level twos are from 1 million to 6 million transactions. And so then your level three is your 20,000 transactions to 1 million. And then you have your level four finally, which is the least riskiest, and it's under 20,000 transactions.

Justin: Okay. So let's see if I can pick out some examples of these. A level two would be, to me might be, either an early FinTech platform, that wants to do a lot of processing, but hasn't quite gotten big enough, or a mature B2C organization that is processing a lot of credit card information.

Sam: Correct. For the one that's processing a lot of credit card information. And so has over 6 million transactions, would be the level one.

Justin: At the level. So then even you can go too far and wind up in level one, if you're a B2C organization and you're really big.

Sam: Correct. Yep. And so it's kind of crazy because I actually was a little bit shocked that it really does come down to the transactions. It doesn't even matter who's storing it, versus maybe who's processing it, or who's transmitting it, which is probably the least riskiest, but they're all part of the same bucket that they have to, they're all held to a similar standard.

Justin: I see.

Sam: Of course, I will admit that the organizations storing it, are holding even more elevated, or elevated risk, or high risk. It's just, they have more controls in what they have to assess.

Justin: Well, and this is like the experience breach. Where it's like millions and millions and millions of people's private information gets exposed because they're storing a ton of data on them, especially probably the credit card information, what credit cards they have, and things like that. So they're not even necessarily processing a ton of transactions, they just have so many people in their database.

Sam: Exactly.

Justin: So break it down for me a little bit. Level one, level two, level three, level four, four being probably the easiest assessment level one being the toughest assessment or the hardest set of requirements. Do all of them require an independent assessor?

Sam: No. So only level one is required to have a Qualified Security Assessor or a QSA, or an Internal Security Assessor ISA, which is not as common. You typically get a QSA. And so that's your third party, typically CPA firm, but it could be other organizations as long as they're QSA, but they're the ones that have to validate your scope, perform the assessment. They're the ones that have to send the assessment, and send not only the report on compliance, but actually send that, basically the opinion on that compliance report to the bank. So they're the ones that are in charge of sending it on your behalf, on the organization’s behalf.

Justin: You don't even get... You're just like, "Hey, I've worked with this third party. They're the QSA. They have done the assessment to us to level one, Hey, third party, will you send this new customer, this bank, this partner, that report." You can't even originate from your email?

Sam: No. And on top of that, a third party, so the QSA firm, should get a confirmation of compliance, acceptance. So that's one thing that the organization should confirm with a third party. I've seen it before where in my previous life at audit firms, I just remember this, sometimes they wouldn't submit it even when they completed it. And so you can see that it was delayed, and what if they just never confirm? So I would just make sure that, that is your responsibility as an organization to at least confirm with that third party that you hired.

Justin: So two, three and four don't require an independent assessor. Does that mean a self-assessment, or an internal audit, or outsourced internal audit would suffice?

Sam: Yes. So you're exactly right. So levels two through four. So the least riskiest or least under the umbrella. So really depending on what type of services, what type of company they are, there is what's called a self assessment questionnaire. And so all they have to do is confirm that they are compliant for, in case if the bank does come and investigate. And then the level two is different than all the other levels, because it operates similarly to level one. However, it's not required to have a third party perform that report on compliance, so your audit report. They can actually perform that, but they have to send that to bank.

Justin: Okay. I see. Is there any benefit, let's say that you are a FinTech company, you want to help, we call them trust assets of course. Is there any benefit in that way us being like, not only are we stating we're compliant, we did this self assessment, but we actually got assessed and got a report from a reputable auditor on this. It seems to me that might be an effective marketing tool.

Sam: Absolutely. Because as we know, just like SOC 2, in a SOC 2 world, similarly in financial institutions or insurance, a lot of them are getting questionnaires as is. So if they really want to one, no longer answer those questionnaires and then two, accelerate their sales process, then if they have this report, they can just send that directly to their prospects. And you'll cover it.


PCI DSS compliance level basics

There are four PCI DSS compliance levels that correspond with a business’s annual number of credit, debit card, and prepaid card transactions. These merchant levels define which requirements an organization must meet to become — and what they must do to stay — compliant:

  • Level 1: More than six million real-world credit or debit card transactions annually
  • Level 2: Between one and six million real-world credit or debit card transactions annually
  • Level 3: Between 20,000 and one million e-commerce transactions annually
  • Level 4: Fewer than 20,000 e-commerce transactions annually

It’s important to note that while payment brands (Visa, Mastercard, Discover, and American Express) define the merchant levels listed above, acquiring banks determine the merchants’ PCI DSS compliance level depending on the company’s annual transaction volume. This means that a merchant may have different PCI DSS compliance levels for other payment brands.

You can learn more about how you can define your merchant level according to each credit card brand by following the links below:

PCI DSS Level 1 compliance

PCI DSS Level 1 is the only PCI DSS compliance level that requires an on-site audit every year. Level 1 organizations include merchants that process more than six million real-world credit or debit card transactions annually. Since Level 1 is the strictest level, becoming PCI DSS compliant often takes longer for Level 1 merchants.

These companies must undergo an annual PCI DSS internal audit conducted by an authorized PCI Qualified Security Assessor (QSA). Additionally, they must submit to a PCI scan by an Approved Scanning Vendor (ASV) quarterly and complete the Attestation of Compliance (AOC) form.

Merchants must then report the results of their audits to the “acquiring banks” defined by the Payment Card Industry Security Standards Council (PCI SSC).

PCI DSS Level 2 compliance

PCI DSS Level 2 applies to merchants that process between one and six million real-world credit or debit card transactions annually across all channels. While an on-site PCI DSS audit can be requested, Level 2 merchants don’t have to complete an on-site PCI DSS audit unless they’re subject to a cyber attack or data breach that compromises cardholder or credit card data.

These organizations are required to meet the following requirements:

  • Complete an annual assessment using a Self-Assessment Questionnaire (SAQ)
  • Complete the Attestation of Compliance (AOC) form
  • Possibly complete a quarterly PCI ASV scan

When it comes to the SAQ, there are a different number of questions and requirements depending on the SAQ type chosen. Narrowing the scope of assessments or audits can save an organization both time and expense.

PCI DSS Level 3 compliance

Level 3 merchants are those that handle between 20,000 and one million e-commerce transactions annually. Similar to Level 2 merchants, these companies also must complete the annual evaluation using the appropriate SAQ as well as the Attestation of Compliance (AOC) form and may be required to perform a quarterly PCI ASV scan.

PCI DSS Level 4 compliance

PCI DSS Level 4 applies to merchants that perform fewer than 20,000 e-commerce transactions annually or up to one million transactions via all channels (e-commerce, card present, and card not present). Merchants that process less than 20,000 card transactions per year via e-commerce alone can also apply for PCI DSS Level 4 status. 

As with Levels 2 and 3, Level 4 merchants must complete an annual self-assessment form using the appropriate SAQ for PCI DSS Level 4 and the Attestation of Compliance (AOC) form and also may be required to undergo a quarterly PCI ASV external network security scan.

Becoming PCI DSS compliant

It’s important to note that while many small or medium-sized businesses fall below PCI DSS Level 4, the only authority that can assess the level of compliance is the institution that performs transactions with the bank or card brand.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Learn how you can leverage Strike Graph for your cybersecurity needs