The four PCI DSS compliance levels explained
The four PCI standards — more commonly referred to as the four PCI DSS compliance levels — are an important component of the PCI DSS certification process.
In this post, we’ll take a look at the ins and outs of PCI DSS Levels 1, 2, 3, and 4 and how you can comply with each depending on your unique business situation.
PCI DSS compliance level basics
There are four PCI DSS compliance levels that correspond with a business’s annual number of credit, debit card, and prepaid card transactions. These merchant levels define which requirements an organization must meet to become — and what they must do to stay — compliant:
- Level 1: More than six million real-world credit or debit card transactions annually
- Level 2: Between one and six million real-world credit or debit card transactions annually
- Level 3: Between 20,000 and one million e-commerce transactions annually
- Level 4: Fewer than 20,000 e-commerce transactions annually
It’s important to note that while payment brands (Visa, Mastercard, Discover, and American Express) define the merchant levels listed above, acquiring banks determine the merchants’ PCI DSS compliance level depending on the company’s annual transaction volume. This means that a merchant may have different PCI DSS compliance levels for other payment brands.
Need help understanding which PCI DSS compliance level your organization falls under and how you can start the compliance process? Strike Graph can help — request a demo today.
You can learn more about how you can define your merchant level according to each credit card brand by following the links below:
PCI DSS Level 1 compliance
PCI DSS Level 1 is the only PCI DSS compliance level that requires an on-site audit every year. Level 1 organizations include merchants that process more than six million real-world credit or debit card transactions annually. Since Level 1 is the strictest level, becoming PCI DSS compliant often takes longer for Level 1 merchants.
These companies must undergo an annual PCI DSS internal audit conducted by an authorized PCI Qualified Security Assessor (QSA). Additionally, they must submit to a PCI scan by an Approved Scanning Vendor (ASV) quarterly and complete the Attestation of Compliance (AOC) form.
Merchants must then report the results of their audits to the “acquiring banks” defined by the Payment Card Industry Security Standards Council (PCI SSC).
PCI DSS Level 2 compliance
PCI DSS Level 2 applies to merchants that process between one and six million real-world credit or debit card transactions annually across all channels. While an on-site PCI DSS audit can be requested, Level 2 merchants don’t have to complete an on-site PCI DSS audit unless they’re subject to a cyber attack or data breach that compromises cardholder or credit card data.
These organizations are required to meet the following requirements:
- Complete an annual assessment using a Self-Assessment Questionnaire (SAQ)
- Complete the Attestation of Compliance (AOC) form
- Possibly complete a quarterly PCI ASV scan
When it comes to the SAQ, there are a different number of questions and requirements depending on the SAQ type chosen. Narrowing the scope of assessments or audits can save an organization both time and expense.
PCI DSS Level 3 compliance
Level 3 merchants are those that handle between 20,000 and one million e-commerce transactions annually. Similar to Level 2 merchants, these companies also must complete the annual evaluation using the appropriate SAQ as well as the Attestation of Compliance (AOC) form and may be required to perform a quarterly PCI ASV scan.
PCI DSS Level 4 compliance
PCI DSS Level 4 applies to merchants that perform fewer than 20,000 e-commerce transactions annually or up to one million transactions via all channels (e-commerce, card present, and card not present). Merchants that process less than 20,000 card transactions per year via e-commerce alone can also apply for PCI DSS Level 4 status.
As with Levels 2 and 3, Level 4 merchants must complete an annual self-assessment form using the appropriate SAQ for PCI DSS Level 4 and the Attestation of Compliance (AOC) form and also may be required to undergo a quarterly PCI ASV external network security scan.
Becoming PCI DSS compliant
It’s important to note that while many small or medium-sized businesses fall below PCI DSS Level 4, the only authority that can assess the level of compliance is the institution that performs transactions with the bank or card brand.