7 min read

The 4 PCI compliance levels: what you need to know

Featured Image

If you are at the beginning of your PCI compliance journey then you will need to read on to discover what PCI compliance level your business fits into. Visa, Mastercard, American Express, JCB, and Discover, the major credit card companies, employ PCI DSS security standards to make that all merchants accepting credit cards operate in a secure environment. Because the PCI DSS standards are enforceable by the consortium of credit card companies, all merchants accepting credit cards must maintain a secure environment. Your business may fall into one of four PCI levels, depending on the quantity of credit card transactions you handle per year: 1. Businesses that handle over 6 million transactions per year, 2. Businesses that handle 1 million to 6 million transactions per year, 3. Businesses that handle 20,000 to 1 million transactions per year, or 4. Businesses that handle less than 20,000 transactions per year. To determine your PCI compliance level, your service provider can help you or you can use reporting tools. It's best to check with the credit card companies directly to find out their particular merchant levels.

Level 1: PCI DSS Level 1 Service Providers

PCI DSS Level 1 compliance is necessary for merchants processing six million card transactions a year. The PCI DSS Level 1 is the most comprehensive of the PCI standards, and as a result, a qualified security assessor (QSA) or an internal security assessor (ISA) must verify compliance annually. A QSA will inspect your operations in person, whereas an ISA may be a member of your team trained to perform an PCI audit and act as a liaison with external auditors. In addition to external audits for data breaches that affect Level 1 merchants, any violation of cardholder data is also subject to external audit, even if the company is not in Level 1.

An approved scanning firm will do quarterly network scans to look for potential vulnerabilities. The QSA mandates that vulnerability scanning firms search your computers, servers, cloud, and other products for sensitive information and inform you of any potential security issues. In addition, Level 1 merchants must have a penetration test at least once every year. It is a form of cybersecurity assessment that identifies vulnerability in your infrastructure. A manual process and automated tools are used in addition to vulnerability testing to give you a more comprehensive report. Furthermore, you must submit a PCI DSS compliance affidavit (AOC) to certify that you meet the PCI DSS standards.

Level 2: PCI DSS Compliance for Small Organizations

Merchants are not required to complete a PCI Level 2 audit; they only have to complete a Self-Assessment Questionnaire. The number of questions you must answer on your SAQ will depend on how broadly you define the scope of your audit. There are five types of SAQs, so you will know if you are required to do an onsite audit and file an annual compliance report if you suffer a data breach or if your acquiring bank feels it is important. In addition to the annual penetration test, you must also perform an internal scan and complete an AOC form. An approved vendor must conduct a network audit every quarter. Every six months, service providers must also be penetration tested, for service providers specifically, according to PCI Requirement

Level 3: PCI DSS Compliance for Mid-Sized Organizations

Merchants who wish to receive a Level 3 PCI certification must complete an SAQ, conduct a quarterly network scan for vulnerabilities, and provide an attestation compliance form. Businesses at this level and below are not required to receive a penetration test, although it would still benefit your business if you did so. JCB International does not have Level 3 PCI compliance. Level 2 merchants process less than one million JCB transactions annually.

Level 4: PCI DSS compliance for large organizations

PCI compliance level 4 is the lowest audit level set by the leading credit card companies. In addition to counting the number of transactions handled yearly, businesses seeking this kind of audit must not have experienced data breaches or been victimised by a cyberattack that compromised cardholder data. In addition to completing the appropriate SAQ, quarterly network vulnerability assessments, and finishing an AOC, only these requirements are necessary for PCI compliance level 4. It may be less laborious to complete the annual requirements for PCI compliance level 4 without a formal audit, however, implementing all of the PCI controls and maintaining them can still be time-consuming. You must verify that you have the proper security policies, procedures, and tools in line with the PCI security standard.


Merchant levels as defined by Visa:

Merchant Level Description
1 Any merchant — regardless of payment channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant — regardless of payment channel — processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.



The Payment Card Industry (PCI) Security Standards are a set of security standards that must be followed by businesses that process or store customers’ credit card details. The risk of cyber-attacks on businesses handling card data is high, and cyber criminals use insider attacks to gain access to credit card information so they can sell this data for money. The impact of a security breach can be severe and may result in the business being unable to process payments until compliance is achieved again. As such, it is important to know exactly what these PCI Compliance requirements are and how you can achieve them in your business. This article breaks down the 4 levels of PCI Compliance and what they mean for your business.


Learn more about PCI Compliance with our Ultimate Guide.