What is a PCI Level 1 Service Provider?

A PCI Level 1 Service Provider is the top tier of PCI DSS validation for companies that handle card transactions on behalf of merchants. The level is set by transaction volume: any service provider that stores, processes or transmits more than 300,000 card transactions per year automatically becomes Level 1. Once you're Level 1, you can't self-assess — the PCI Security Standards Council requires an annual on-site audit by an independent Qualified Security Assessor (QSA), a full Report on Compliance (ROC) covering every PCI DSS requirement that applies, a signed Attestation of Compliance (AOC), and quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). The QSA visits your offices, sees the controls in action and signs their name to the result — there's no way to fake it.

The PCI Level 1 Service Provider badge — sometimes shortened to PCI DSS Level 1 or PCI L1 — gets used a lot in payments marketing because it's the strongest compliance claim a vendor can make. But it's worth knowing what's underneath it, because the difference between Level 1 and the lower levels is substantial in both effort and in what it proves about a vendor.

The Four Service Provider Levels

The PCI Security Standards Council defines four service provider levels, with the threshold purely tied to annual transaction volume:

• Level 1 — More than 300,000 transactions per year. Annual on-site QSA audit, Report on Compliance, AOC, quarterly ASV scans, listed on the Visa Global Registry of Service Providers and the Mastercard Compliant Service Provider list.
• Level 2 — Under 300,000 transactions per year. Annual Self-Assessment Questionnaire (SAQ D) with AOC, quarterly ASV scans. No mandatory on-site audit.

Visa and Mastercard each maintain their own service provider levels, and the thresholds align closely. The key practical difference between Level 1 and Level 2 is the on-site QSA audit — Level 1 requires it, Level 2 doesn't. Self-assessment is faster and cheaper for the vendor but provides far weaker assurance to the merchant relying on the vendor's controls.

What a Level 1 Audit Actually Involves

The annual Level 1 process typically takes three to six months and includes:

• Pre-assessment scoping — the QSA documents every system, network segment, application and process that touches cardholder data. Anything in scope has to meet the relevant PCI DSS controls.
• On-site fieldwork — the QSA visits the data centres, offices and any third-party providers in scope. They interview staff, review evidence, watch processes happen and test controls.
• Report on Compliance (ROC) — a multi-hundred-page document covering every PCI DSS requirement, with the QSA's findings, supporting evidence and any compensating controls. The ROC goes to the card brands and the merchant's acquirer.
• Attestation of Compliance (AOC) — the short, signed summary document the vendor can share with prospects and customers. Most vendors publish this on their website.
• Quarterly ASV scans — external network vulnerability scans by an independent Approved Scanning Vendor, run every three months. Any failed scan has to be remediated and re-scanned to maintain compliance.

The whole exercise has to be repeated every year. Lapsing means losing the Level 1 status and being delisted from the Visa Global Registry — a serious commercial consequence for any payments vendor that sells to regulated industries.

Why It Matters When Choosing a Payments Vendor

For most merchants buying a payments service, the vendor's PCI level is one of the cleanest signals of operational maturity available. A few things to know when reading a vendor's compliance claims:

• Ask for the AOC, not just the badge. Any vendor can put a Level 1 logo on their site. A signed AOC dated within the last twelve months and naming the QSA is the actual proof. Reputable vendors will share it under NDA on request.
• Check the Visa Global Registry. Level 1 Service Providers are listed at visa.com/splisting. If the vendor isn't on that list, they're either not actually Level 1 or their certification has lapsed.
• Look at the scope of the AOC. A Level 1 AOC covers specific services and infrastructure — not necessarily everything the vendor sells. Make sure the service you're actually buying is in scope.
• Check the date. AOCs are valid for one year. Vendors mid-recertification will have a slightly older one but should be able to confirm the new audit is in progress.

Does Level 1 Make Your Business PCI Compliant?

Using a Level 1 Service Provider is necessary but not sufficient. The vendor's PCI level only validates their own controls — the part of the payment flow that runs on their infrastructure. Your business still has its own PCI scope based on how cardholder data flows through your environment, and you still have to complete your own SAQ or full audit. What a Level 1 vendor does is take responsibility for the technical controls inside their service, which is what lets you legitimately mark certain SAQ requirements as 'managed by service provider' and reduce your scope.

The combination that delivers the biggest scope reduction is a Level 1 Service Provider plus a technology that keeps card data out of your environment in the first place — for contact centres, that's typically DTMF masking or channel separation. With both in place, most businesses can move from SAQ D (329 controls) to SAQ A (22 controls).