• Blog
  • PCI DSS Compliance Levels and Requirements: A Complete Guide

Blog

PCI DSS Compliance Levels and Requirements: A Complete Guide

If your business processes credit card transactions, it needs to meet the Payment Card Industry (PCI) Data Security Standards (DSS).

These standards, established by the major credit card companies comprising the Security Standards Council (SSC), make sure merchants and service providers process cardholder information securely. Complying with PCI DSS protects your business from potential fraud threats while positioning you to handle the growing demand for secure payment processing.

But businesses of different sizes have different security needs, which is why there are varying PCI DSS compliance levels. Learn which of the PCI levels for merchants or service providers your organization falls into and understand how to stay compliant.

Understanding PCI Merchant Versus Service Provider

The purpose of the PCI DSS is to make sure any business that handles credit card information does so safely to prevent hacks and breaches. And there are two main types of businesses that interact with payment data: merchants and service providers.

Here are the main differences between these two categories:

  • PCI Merchants: To qualify as a merchant, your business must accept payment cards from PCI SSC companies, such as American Express, Mastercard, and Discover. There are four different PCI levels for merchants, largely based on the number of transactions they facilitate per year.
  • PCI Service Providers: Service providers capture, process, store, or transmit cardholder data. Examples of service providers include payment gateways, website hosting providers, or payment service providers. There are two PCI levels for service providers, based on organization size and the number of transactions handled each year.

PCI Compliance Levels for Merchants

The four PCI compliance levels for merchants are as follows, in order of strictest to simplest. Keep in mind that while the levels are similar between service providers, some have varying standards and numbers. Always check with your providers to make sure you know which rules you need to follow.

PCI DSS Compliance Level 1

The first level applies to businesses that process more than 6 million card transactions every year. Because of the sheer volume of transactions a PCI DSS Level 1 merchant touches, it’s subject to the strictest reporting requirements.

If your business experienced a data breach that exposed cardholder information, banks can request that you also meet Level 1 merchant guidelines—no matter how large your business is.

How To Achieve Level 1 Compliance

While other merchants can complete a Self-Assessment Questionnaire (SAQ) to evaluate their PCI DSS compliance, businesses designated as Level 1 merchants must undergo an annual Report on Compliance (RoC). Due to their size, Level 1 merchants are the only ones required to work with a reliable third-party auditor known as a Qualified Security Assessor (QSA) to complete the RoC and ensure their compliance status.

Level 1 PCI DSS compliance also requires businesses at this level to:

  • Receive quarterly network scans
  • Undergo annual penetration testing
  • Complete an Attestation of Compliance (AoC) form

PCI DSS Compliance Level 2

Level 2 merchants follow a slightly less stringent path. They still process a tremendous amount of card transactions yearly, ranging from 1 to 6 million.

How to Achieve Level 2 Compliance

Rather than working with a QSA, Level 2 merchants complete an SAQ. The SAQ is a tool that helps smaller merchants assess their adherence to PCI DSS requirements without needing a formal audit. There are eight types, and the one you must complete depends on whether you’re a merchant or service provider and how much data you handle.

PCI DSS Compliance Level 3

If you process more than 20,000 but less than 1 million transactions yearly, you’re a Level 3 merchant.

How to Achieve Level 3 Compliance

In addition to completing an SAQ with PCI-approved scanning vendor (ASV) scanning and penetration testing, you also have to complete quarterly scans by an ASV and complete an AoC.

PCI DSS Compliance Level 4

Level 4 PCI compliance requirements are the most lenient. Merchants processing fewer than 20,000 transactions annually, including many small businesses, fall under Level 4. Any business that doesn’t fall into the categories above is also Level 4.

How to Achieve Level 4 Compliance

These organizations must complete an SAQ and undergo penetration testing and ASV scanning.

PCI Compliance Levels for Service Providers

All service providers fall into one of two PCI DSS compliance levels:

Service Provider Level 1

To receive Service Provider Level 1 designation, your organization must store, transmit, or process over 300,000 card transactions annually.

How to Achieve Level 1 Compliance

Just like Level 1 merchants, these service providers are unable to self-assess their compliance. Instead, they have to work with a QSA, which leads an annual audit and—if the business is compliant—offers a RoC.

As a Level 1 service provider, you also need to:

  • Undergo quarterly network scans by an ASV
  • Complete an AoC
  • Participate in annual penetration testing

Service Provider Level 2

The other service provider designation is Level 2, which applies to organizations that store, transmit, or process less than 300,000 card transactions yearly.

How to Achieve Level 2 Compliance

As a Level 2 service provider, you must:

  • Complete penetration testing annually
  • Have quarterly network scans by an ASV
  • Complete the most all-encompassing SAQ: The SAQ D, which covers any business that doesn’t fit into a more streamlined SAQ category
  • Complete an AoC

How to Identify Your PCI DSS Compliance Level

To identify your PCI DSS level, check your card transaction history to see how many transactions you facilitate. Your bank and any card payment brands you work with should have records to confirm which level you fall into.

Then, determine how you process cardholder data and where it goes. Do you offer different sales channels, such as in-person and online, that rely on different payment processors? Are you always using the same sales terminal, or do you transmit payment information over wireless or cloud networks? All of these details can affect your compliance level or the SAQ you complete.

Credit card industry security standards change, so if you work with multiple credit card providers and one deems you at a higher compliance level than the other, go with the higher level and enact those practices to stay compliant.

Make sure you stay up to date with evolving PCI DSS guidelines. The best way to do so is to regularly visit the PCI SSC website and subscribe to its blog.

PCI DSS Compliance With Legit Security

Whether you’re a Level 1 or 4 organization, complying with PCI DSS keeps your doors open. Non-compliant businesses may receive fines, experience increased transaction fees, or have customers take legal action if a breach occurs. By following PCI compliance guidelines, you rest assured you’re doing everything you can to protect customer data.

To prevent non-compliance, you need a partner. Legit Security can help you align your security guardrails to PCI DSS requirements and then continuously monitor for and alert you on any policy violations. You’ll easily provide real-time evidence to auditors—without painful manual work.

Schedule a demo to learn how you can use Legit Security to streamline PCI DSS compliance.

Share this guide

Published on
October 29, 2024

Book a 30 minute demo including the option to analyze your own software supply chain, if desired.