PCI DSS Merchant Levels – Complete Guide

Vimal Mohan

Vimal Mohan

Jan 02, 2024

pci dss levels

Credit card transactions have become the lifeblood of commerce. With this convenience comes a critical responsibility: protecting sensitive cardholder data. As cyber threats evolve and data breaches make headlines, businesses of all sizes must prioritize the security of payment information. 

This is where the Payment Card Industry Data Security Standard (PCI DSS) comes in. It’s a set of security rules for any business that handles credit card payments. But not all businesses are the same size or face the same risks.

As a merchant, your specific compliance requirements depend on which level you fall into. Whether you’re processing millions of transactions or just a few thousand, knowing your PCI DSS Merchant Level is the first step towards effective cardholder data protection.

In this article, we talk about four PCI DSS merchant levels, also known as PCI compliance levels, the need for these, and how you can determine it in your business. We also share insights on the Self Assessment Questionnaire (SAQ).

TL;DR 

PCI compliance levels categorize merchants based on their annual transaction volume, with four levels ranging from Level 1 (over 6 million transactions) to Level 4 (less than 20,000 transactions).
The compliance requirements become more stringent as the transaction volume increases, with Level 1 merchants facing the most comprehensive requirements and Level 4 having comparatively simpler processes
Regardless of your PCI certification level, you’ll need to complete a Self-Assessment Questionnaire, perform regular security scans, and provide proof of compliance.

What are PCI Compliance Levels?

pci dss levels

PCI compliance levels are categorization of merchants with respect to the volume of their business ie. the number of transactions processed every year. Broadly the businesses are classified into 4 PCI merchant levels and the requirements get stringent with increased size and complexity of operations. A Level 1 business has the most comprehensive list of things to do to ensure compliance, while the process for a Level 4 company to become PCI DSS compliant is comparatively simpler.

Read on to know PCI DSS compliance levels and the requirements further in the article.

Why do Organizations need to follow PCI DSS Levels of Compliance?

The PCI Levels for merchants outline the requirements an organization is expected to implement to become/remain PCI DSS compliant. Unfortunately, the PCI Council, the regulatory body of PCI DSS, does not have the resources to audit every organization that processes, stores, or transmits card payment data.

So, in the event of a breach, the PCI council audits the organization that was breached and verifies if they were complying with all the listed requirements to ensure data integrity and security. If compliance violations are detected, organizations are charged hefty administrative penalties. In some cases, their access to process card-based transactions is revoked.

Effortless PCI DSS Compliance, Around the Clock

PCI DSS compliance Levels help businesses with the classification and lists the security requirements and policies required for their business to become/remain compliant.

How to determine if you’re a PCI DSS merchant or a service provider? 

Understanding whether your business is a merchant or a service provider is crucial for determining your PCI DSS compliance requirements and responsibilities. Each category has its own set of compliance levels and specific obligations under the PCI DSS framework.

Merchants:

You’re a merchant if your business directly accepts card payments from customers using any of the five major card brands (American Express, Discover, JCB, MasterCard, or Visa). 

Service providers:

You’re a service provider if your business isn’t a payment card brand but is involved in processing, storing, or transmitting cardholder data on behalf of merchants. This category also includes companies whose services could impact cardholder data security, such as managed firewall providers or hosting services.

Here are some key differences between the two:

  1. Customer relationship: Merchants interact directly with cardholders, while service providers typically interact with merchants or other businesses.
  2. Payment acceptance: Merchants accept payments, while service providers facilitate or secure the payment process.
  3. Compliance focus: Merchants focus on securing their own payment environments, while service providers must ensure their services don’t compromise the security of multiple clients’ data.
  4. Scope of responsibility: A merchant’s PCI DSS scope is typically limited to their own operations, while a service provider’s scope can extend to multiple clients and complex data flows.

What Are The 4 PCI DSS Levels?

The council of major credit card companies like American Express, Discover Financial Services, MasterCard, and Visa developed the 12 requirements for merchants processing payments cards. 

Merchants

These PCI categories for merchants can be divided into four PCI merchant levels:

  • PCI Level 1 – Organizations processing over 6  million annual transactions.
    • Annual on-site audit by a Qualified Security Assessor (QSA)
  • PCI Level 2 – Organizations processing between 1  and 6 million annual transactions
    • Annual Self-Assessment Questionnaire (SAQ)
  • PCI Level 3 – Organizations processing between 20,000 and 1 million annual transactions and all e-commerce merchants
    • Annual Self-Assessment Questionnaire (SAQ)
  • PCI Level 4 – Organizations processing less than 20,000 annual transactions
    • Annual SAQ (recommended, may be required by some acquirers)

Let’s understand PCI merchant levels better:

PCI Level 1

If a business processes over six million transactions a year, it is a Level 1 business. This definition is rudimentary as other qualifying factors also come into play to decide if a business is  Level 1. You are a Level 1 business, if either one of the all following or all the below listed criteria are met.

Here’s a comprehensive list to identify if your business is a Level 1 business:

  • You process over 6 million VISA, MasterCard, and Discover transactions in a year
  • You process over 2.5 million transactions of American Express in a year
  • You process over 1 million JCB transactions in a year
  • You have been identified as a Level 1 business by any other card provider
  • You have been a victim of a cyber security incident in the recent past that led to the loss of customer data

A common misconception is that to be a Level 1 business, they must process transactions actively. Well, that’s not the case. If you are a business that only stores that transaction information, you’ll still have to be Level 1 compliant.

Firewall service providers, cloud storage service providers, and others who passively participate in this fall under this scope.

PCI Level 2

Any business that processes 1 – 6 million transactions annually is tagged as a Level 2 business for simplicity and convenience.

Like Level 1, Level 2 also has other qualifiers. Here’s the list:

  • You process  1 to 6 million card-based transactions in a year of VISA, MasterCard, and Discover
  • You process over 50,000 to 2.5 million transactions of American Express in a year
  • You process less than 1 million JCB transactions in a year

Sprinto helps you centrally map all your PCI controls and monitors your compliance status continuously. Pass quarterly scans and audits without missing a beat. With Sprinto, you get: 

Qualified QSA and ROC auditor network

Auditor-grade PCI-DSS program

Vetted PCI vulnerability scanning vendors

Automate your way to PCI DSS success

PCI Level 3

In everyday terminology, a Level 3 business processes less than 1 million transactions annually. However, like the other two Levels, there are additional qualifiers for a Level 3 business you should know about.

For example, you are a Level 3 business if:

  • You process up to 1 million VISA-based e-commerce  transactions in a year
  • You process less than 20,000 MasterCard-based e-commerce transactions a year and less than 1 million total MasterCard transactions in a year.
  • You process 20,000 to 1 million Discover based e-commerce transactions in a year 
  • You process less than 50,000 American Express transactions annually

Did you know that JCB does not identify Level 3 status? Any organization processing less than 1 million JCB transactions in a year must comply with the PCI DSS Level 2 requirements.

PCI Level 4

Any business that processes under 20,000 e-commerce transactions of VISA or Mastercard in a year or under 1 million total transactions for VISA or MasterCard in a year is classified as a Level 4 business. 

It is important to note that, for a business to maintain a Level 4 status, it should not have been breached or become a victim of data theft in the recent past.

Check out this video for understanding the levels better

Sprinto sets up guardrails for each level to ensure you are following the correct actions and detering improper ones. By maintaining a robust, continuously monitored PCI-DSS compliance program, you can manage card data environments with confidence and effortless adherence to PCI standards. Talk to our experts today

Also find out: How to automate PCI compliance

“One of the significant changes in PCI DSS 4.0 is the introduction of the customized approach. Unlike the prescriptive nature of earlier versions with defined controls, this version allows organizations with higher security maturity to conduct targeted risk assessments. They can determine if they qualify for the customized approach, define their own controls, and implement their own methods. This flexibility fosters innovation in payment security.”

According to Swapnil Tripathi, PCI QSA, ISO LA and Green belt LSS at Sprinto

Service providers 

The Payment Card Industry Data Security Standard (PCI DSS) categorizes service providers into two levels based primarily on the volume of transactions they handle annually. This categorization determines the specific compliance requirements each provider must meet to ensure the security of cardholder data. 

PCI Level 1 

Level 1 is reserved for service providers that store, process, or transmit more than 300,000 card transactions annually. These organizations face the most stringent compliance requirements due to the significant volume of sensitive data they handle.

Compliance for Level 1 providers involves a comprehensive annual assessment conducted by a Qualified Security Assessor (QSA), resulting in a Report on Compliance (ROC). 

This is accompanied by quarterly network scans performed by an Approved Scanning Vendor (ASV). Additionally, these providers must conduct regular penetration testing and internal vulnerability scans to ensure robust security measures are in place.

PCI Level 2 

Service providers handling fewer than 300,000 card transactions annually fall into the Level 2 category. While their compliance requirements are slightly less rigorous than Level 1, they still face substantial obligations to protect cardholder data.

Level 2 providers are required to complete an annual Self-Assessment Questionnaire D (SAQ D-Service Providers), which is a comprehensive document designed specifically for service providers. 

Like their Level 1 counterparts, they must also undergo quarterly network scans by an ASV and conduct regular penetration testing and internal vulnerability scans.

Also find out: How to automate PCI compliance

How Can Merchants Determine Their PCI DSS Level?

If you aren’t still sure of the extent of transactions in your business processes, you can conduct an internal audit dating back to the last 52 weeks and examine that data to come up to a conclusion. 

You can also hire an external auditor for this job to ensure that no data is missed and the conclusion of your PCI DSS Level is accurate. 

The last thing you want is to become non-compliant by implementing incorrect PCI DSS compliance requirements.

Find out: How to become PCI DSS-certified

What is a Self-Assessment Questionnaire for merchants?

Filling out a Self Assessment Questionnaire (SAQ) is a mandatory step in the PCI compliance process. However, how a business fills out an SAQ depends on the nature of the transactions they process. For instance, if a business processes e-commerce transactions and does not store, process, or transmit card information in their business environment, they are required to fill out the SAQ- A. Likewise, if SAQ-B is for those merchants who have no electronic storage records of the data they process and use a wired dial-out terminal for their transactions. 

SAQs and merchant levels

Based on the nature of transactions in your business process, you are required to fill out an SAQ. Here’s an infographic detailing the different types of SAQs to help you identify the one that applies to your business. 

To become PCI DSS compliant, every organization processing card transactions must fill out an SAQ, conduct quarterly scans of their business environments, and produce an Attestation of Compliance (AOC).

A Level 1 business will need to get its assessments done either by an external QSA (Qualified Security Assessor) or by an ISA ( Internal Security Assessor). The auditor assesses the scope of compliance and evaluates if the requirements are met and if the necessary controls and policies are implemented.

After the audit, they produce a Report Of Compliance (ROC), which is then sent to the PCI Council for approval.

For any business that qualifies as Level 2-4, the process is less intensive compared to a Level 1 business. Level 2-4 companies can complete their assessment themselves. That said, Level 2 organizations are still required to produce a ROC.

Also check out: How to get PCI compliance attestation

Sprinto helps you Fill out 1 of 9 Security Assessment Questionnaires (SAQ) based on how you process card cardholder information. Collaborate with Sprinto experts to complete your SAQ obligations. Get a demo now

Find out how Sprinto Can Help You Become PCI DSS Compliant

The PCI DSS compliance process is exhaustive and time-intensive. Hundreds of controls must be implemented based on your business needs and processes. And doing this yourself can result in non-compliance, loss of productivity, and make the process expensive.

 Did we mention there is a chance that you could be non-compliant after all the effort, time, and financial resources you spent to make your business PCI compliant?

Is there an easier way to approach this? Yes, there is—the Sprinto way.

Sprinto is purpose-built to automate all the monotonous and time-taking tasks involved in becoming PCI DSS compliant. Sprinto integrates with your business environment to give you visibility of your complete business environment to identify existing vulnerabilities and predict future occurrences. Sprinto’s automation process ensures that we do the heavy lifting in your compliance process while you focus on what matters to you the most – Business Development.

That’s not all. After you’ve implemented all the PCI DSS requirements, Sprinto helps you continuously monitor your systems to track your compliance posture and ensure that any new critical error is addressed immediately.

Talk to our experts today to understand how Sprinto can make your compliance journey a breeze.

FAQs

How often do I need to validate the PCI DSS compliance based on the compliance level?

Level 1 merchants need to have an official Report of Compliance annually for validating their PCI DSS compliance. All other levels can have annual self-assessment questionnaires along with a vulnerability scan in every 90 days.

What is Level 4 PCI compliance?

Level 4 PCI compliance is the set of rules laid out by PCI DSS that applies to all businesses that process less than 20,000 e-commerce-based MasterCard or VISA transactions a year or less than 1 million VISA transactions in a year.

What is a Level 3 merchant?

A Level 3 merchant processes less than 1 million VISA or MasterCard-based e-commerce transactions in a year or processes 20,000 to 1 million MasterCard transactions a year.

Level 3 merchants also process less than 50,000 American Express transactions in a year or process between 20,000 to 1 million Discover transactions annually.

Who defines merchant Levels for PCI?

The PCI council has laid out the guidance required to help merchants or businesses in identifying the Level they fall into.

Who defines merchant Levels for PCI?

The PCI council has laid out the guidance required to help merchants or businesses in identifying the Level they fall into.

What are the levels of PCI cards?

PCI DSS doesn’t have levels for cards themselves, but rather for the merchants and service providers that handle card data. The PCI merchant levels and service provider levels are based on transaction volumes.

However there are levels to the merchants and the service providers. 

For merchants there are four levels: 

  1. Level 1: Over 6 million card transactions annually
  2. Level 2: 1 to 6 million transactions annually
  3. Level 3: 20,000 to 1 million e-commerce transactions annually
  4. Level 4: Less than 20,000 e-commerce transactions or up to 1 million regular transactions annually

For service providers, there are two levels:

  1. Level 1: Over 300,000 transactions annually
  2. Level 2: Less than 300,000 transactions annually

What are the levels of PCI standards?

The PCI DSS itself doesn’t have levels – it’s a single set of security standards. However, the term “levels” in PCI context usually refers to the PCI compliance levels for merchants and service providers, which determine the specific validation requirements an organization must meet. 

Vimal Mohan

Vimal Mohan

Vimal is a Content Lead at Sprinto who masterfully simplifies the world of compliance for every day folks. When not decoding complex framework requirements and compliance speak, you can find him at the local MMA dojo, exploring trails on his cycle, or hiking. He blends regulatory wisdom with an adventurous spirit, navigating both worlds with effortless expertise

How useful was this post?

0/5 - (0 votes)