PCI DSS Compliance Levels: Merchant & Service Provider’s Guide

The Payment Card Industry Data Security Standard (PCI DSS) has made it mandatory for all businesses that handle payment card information and transactions to comply with it. However, not every business is the same size, and they do not need the same security countermeasures. This is why, before opting to fulfil the requirements, you must understand which PCI compliance level your business falls under.

Major credit card companies like Visa and Mastercard dictate the audit standards and security measures required for merchants based on their transaction volume. PCI Security Standards Council (PCI SSC) has set multiple compliance levels for different sizes of businesses based on the “n” number of transactions. These levels help organisations adopt security controls that align with their risk level. The more transactions a business processes, the higher the risk it poses to banks, merchants, processors, etc. In this article, we will learn about compliance levels for merchants and service providers and explore how to stay compliant.

A Guide to PCI DSS Compliance Levels

PCI compliance levels and requirements mainly address the two entities that process and handle cardholder data today: merchants and service providers. These two entities must adhere to varying PCI compliance levels based on their transaction volume per year.

PCI Merchant Compliance Levels

PCI Merchants refer to any business—small, medium, or large—that accepts payment cards for goods or services. Simply put, merchants are the businesses that directly handle customer transactions. Based on transaction volume, merchants are classified into four PCI compliance levels.

PCI Level 1 Merchant

To whom does it apply?

Regardless of business size, the PCI compliance level 1 applies to all merchants that process over 6 million transactions per year.

PCI level 1 merchant requirements

Due to the higher number of transactions, the level 1 merchants are instructed to ensure strong security by fulfilling the following requirements:

• Annual Self-Assessment Questionnaire (SAQ): Level 1 merchants must complete a relevant SAQ to assess compliance.
• Annual Report on Compliance (RoC): To validate PCI DSS adherence, a RoC must be completed with a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).
• Quarterly Network Scans: Run quarterly vulnerability scans by an Approved Scanning Vendor (ASV) to identify security risks across systems, servers, and networks.
• Annual Penetration Testing: Merchants must perform an annual PCI penetration test annually to detect and mitigate infrastructure vulnerabilities.
• Attestation of Compliance (AoC): An AoC document must be submitted to confirm the business meets PCI DSS requirements.

Level 1 merchants must also provide a Report on Compliance (RoC) after the annual audit.

PCI Level 2 Merchant

To whom does it apply?

Level 2 compliance applies to those merchants that process between 1 to 6 million transactions per year.

PCI level 2 merchant requirements

Level 2 requirements are a bit more relaxed than level 1; it includes the following things to ensure cardholder data security.

• Self-Assessment Questionnaire (SAQ): Instead of an on-site audit via ISA or QSA, level 2 merchants are only required to complete an SAQ document. The SAQ varies for merchants or service providers based on their transaction volume.
• Quarterly Network Scans: To identify potential vulnerabilities across payment infrastructure and systems, regular scans by an Approved Scanning Vendor (ASV) are required.
• Annual Penetration Testing: Merchants must conduct penetration tests annually to detect and address infrastructure vulnerabilities.
• Attestation of Compliance (AoC): Merchants must submit an AoC to confirm compliance with PCI DSS standards.
• Onsite Audit (if required): Level 2 requires merchants to submit a Report on Compliance (RoC) completed by internal evaluators.

PCI Level 3 Merchant

To whom does it apply?

PCI DSS Level 3 compliance applies to merchants processing between 20,000 to 1 million card transactions annually.

PCI level 3 merchant requirements

Level 3 requirement focuses on having functional security practices, this includes:

• Self-Assessment Questionnaire (SAQ): Level 3 merchants must complete an SAQ to evaluate their compliance with PCI DSS standards. However, QSA is not mandatory for level 3.
• Quarterly Network Scan: To detect potential vulnerabilities across systems, regular scans by an Approved Scanning Vendor (ASV) are required.
• Attestation of Compliance (AoC): Merchants must submit an AoC form to confirm their compliance.
• Penetration Testing (Optional): Penetration tests are not required for Level 3 merchants, though conducting them as a best practice is encouraged.

Level 3 merchants do not need a formal RoC but can submit one voluntarily for improved standing.

PCI Level 4 merchant

To whom does it apply?

PCI DSS compliance Level 4 applies to merchants processing fewer than 20,000 transactions annually.

PCI level 4 merchant requirements

Level 4 addresses small business security has the most lenient requirements, which include:

• Self-Assessment Questionnaire (SAQ): Level 4 merchants need to complete an SAQ to assess their PCI DSS compliance.
• Quarterly Network Scan: To identify vulnerabilities across systems, regular scans by an Approved Scanning Vendor (ASV) are required.
• Penetration Testing (Optional): While not strictly required, penetration testing is recommended as a security best practice.
• Attestation of Compliance (AoC): Depending on the payment processor’s request, an AoC may be required to confirm compliance.

Here, compliance requirements are mostly defined by the merchant bank. Organisations must not have experienced data breaches or cyber-attacks that compromise cardholder data to qualify for this level, and having a history of data breaches can elevate a company’s compliance requirements.

PCI Service Provider Compliance Levels

PCI service providers are businesses that process, store, or transmit cardholder data on behalf of merchants. Examples include payment gateways, cloud service providers, and hosting services. In essence, service providers facilitate the payment process behind the scenes. Based on their transaction volume, service providers have two levels of PCI compliance.

PCI Level 1 Service Provider

To whom does it apply?

Level 1 compliance applies to those service providers that process over 300,000 card transactions annually.

PCI level 1 requirements

To achieve Level 1 compliance, service providers must fulfil the following requirements:

• Qualified Security Assessor (QSA) Audit: Engage a QSA for an annual external audit to verify compliance. The QSA leads the process and issues a Report on Compliance (RoC) if all standards are met.
• Quarterly Network Scans: Conduct regular scans by an Approved Scanning Vendor (ASV) to identify vulnerabilities across networks.
• Annual Penetration Testing: Perform annual penetration tests to identify and remediate system vulnerabilities.
• Attestation of Compliance (AoC): After a successful assessment, an AoC confirms the organisation’s PCI DSS compliance status.

PCI Level 2 Service Provider

To whom does it apply?

Level 2 applies to those service providers that deal with less than 300,000 card transactions annually.

PCI level 2 requirements

To achieve Level 2 compliance, service providers must fulfil the following PCI compliance requirements:

• Annual Penetration Testing: Conduct penetration testing annually to identify and address any vulnerabilities in the system.
• Quarterly Network Scans: Perform quarterly scans by an Approved Scanning Vendor (ASV) to detect vulnerabilities across networks.
• Complete SAQ D: Fill out the most comprehensive assessment questionnaire (SAQ-D).
• Attestation of Compliance (AoC): After successfully completing the assessments, obtain an AoC to confirm PCI DSS compliance status.

Steps to Determine Your PCI Compliance Levels – Role and Cardholder Data

1. Identify Your Role: Determine if you are a merchant or a service provider.
2. Calculate Annual Transaction Volume: You can track your historical transaction records or consult with your acquiring bank to get this data.
3. Refer to PCI Guidelines: Check the PCI guidelines to confirm your level among the four compliance levels based on your transaction volume, and consult your bank for further validation.

How to Become PCI DSS 4.0.1 Compliant?

Becoming PCI DSS compliant is easy only if you completely understand its importance and prerequisites. It applies to all entities, both merchants and service providers, that handle cardholder data. The compliance process includes the following steps.

Choosing an external auditor – PCI DSS QSA

Based on your compliance level, you select a Qualified Security Assessor (QSA) to conduct the PCI audit. The assessor would perform a thorough audit to verify the provided technical data and scope, evaluate the security controls, and generate a final Report on Compliance (RoC).

Choosing an Approved Scanning Vendor (ASV)

Vulnerability assessment and penetration testing are important steps in achieving compliance. Only an approved scanning vendor is authorised to conduct scans and document the results to identify and remediate missing security controls or vulnerabilities.

Scope of PCI DSS Compliance Requirements

Scoping defines all systems in the cardholder data environment (CDE), covering all components handling cardholder data. It should be performed at least annually to ensure CDE accuracy. The documented scope should be available for assessor review.

Using the Self-Assessment Questionnaire (SAQ)

Based on your compliance level, select the appropriate SAQ to report self-assessment results. This questionnaire helps identify whether the entity meets PCI DSS requirements.

Reporting

Official documents such as the RoC, SAQ, and scan results provide a formal record of PCI compliance. All of them should be submitted as an AoC to the acquiring bank or payment brand.

How Cyphere Can Help?

At Cyphere, we thoroughly study business pain points and propose tailored solutions to meet business and industry needs. Whether you’re a merchant or a service provider, we have a complete suite of PCI compliance solutions. From gap analysis, PCI penetration testing, and final certification, we can address all your compliance challenges and help you maintain a strong security posture.

Get in touch with us today to become PCI DSS compliant or discuss your security compliance concerns.

FAQ

1. How can I know my transaction volume?

To determine your PCI DSS level, check the transaction record with your bank. In case of unavailability, use historical or projected transaction volume to confirm your compliance level.

2. Which Self-Assessment Questionnaire (SAQ) should we use?

There are various SAQs available to each of the payment channels. For specific guidance, check with a QSA or refer to the PCI DSS guidelines.

3. Can multiple SAQs be submitted for different payment methods?

Yes, depending on the transaction methods you use, you may need to submit different SAQs for each payment method.

4. What role does our acquiring bank play in determining our compliance levels?

The bank can confirm your transactions per year and help you understand your merchant or service provider’s level of compliance.

5. When do I need a Qualified Security Assessor’s (QSA) help?

If you are a level 1 or level 2 merchant or level 1 service provider, you need a QSA to conduct an external audit. If all standards are met, the QSA will issue a Report on Compliance (RoC), which is required to achieve PCI DSS compliance.

6. Can I downgrade my PCI compliance level if my transaction volume decreases?

Yes, but to downgrade the PCI DSS compliance levels, your acquiring bank must verify and approve the transaction volume.

7. What happens if I fail to meet my PCI compliance level requirements?

In such cases, you will have to pay penalties and can be prohibited from processing payment cards.

8. Do I need to conduct penetration testing at all PCI compliance levels?

Penetration testing is mandatory for level 1 merchants and service providers. For other PCI compliance levels, the scope and frequency vary.

9. What is the difference between PCI levels 1 & 2?

Level 1 requires a QSA-led external compliance audit, while Level 2 can be satisfied with an SAQ.