What Are the PCI Compliance Levels?

PCI DSS compliance is mandatory for any business that accepts, processes, stores or transmits credit card information. However, not all merchants face the same compliance requirements. The Payment Card Industry Security Standards Council establishes different compliance levels based primarily on transaction volume. Understanding which level applies to your business is crucial for implementing appropriate security measures and avoiding potential penalties.

Understanding PCI DSS Compliance Levels

The PCI Security Standards Council classifies merchants into four distinct levels based on their annual transaction volume. Each level comes with specific validation requirements and reporting obligations.

Level 1: Large Volume Merchants

Criteria:

• Merchants processing over 6 million card transactions annually across all channels
• Any merchant that has experienced a data breach resulting in card data compromise
• Any merchant designated as Level 1 by a card brand (regardless of volume)

Validation Requirements:

• Annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA)
• Quarterly network scans by an Approved Scanning Vendor (ASV)
• Attestation of Compliance form
• Often required to conduct penetration testing and maintain a formal PCI compliance program

Level 2: Mid-Size Merchants

Criteria:

• Merchants processing 1 to 6 million card transactions annually across all channels

Validation Requirements:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network scans by an Approved Scanning Vendor (ASV)
• Attestation of Compliance form
• Some card brands may require a Report on Compliance by a QSA

Level 3: Small-to-Medium Merchants

Criteria:

• Merchants processing 20,000 to 1 million e-commerce transactions annually

Validation Requirements:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network scans by an Approved Scanning Vendor (ASV)
• Attestation of Compliance form

Level 4: Small Merchants

Criteria:

• Merchants processing fewer than 20,000 e-commerce transactions annually
• All other merchants processing up to 1 million transactions annually

Validation Requirements:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network scans by an Approved Scanning Vendor (ASV) if applicable
• Compliance validation requirements are determined by the merchant's acquirer or payment brands

Important Considerations for All Compliance Levels

Card Brand Variations

While the PCI SSC provides the general framework for compliance levels, individual card brands (Visa, Mastercard, American Express, Discover, and JCB) may have slight variations in how they categorize merchants and what they require for validation. Some may have additional levels or different transaction thresholds.

Self-Assessment Questionnaire (SAQ) Types

The SAQ comes in multiple versions, each designed for different payment environments:

• SAQ A: For merchants who have fully outsourced card data functions
• SAQ A-EP: For e-commerce merchants using a third-party payment processor but with website elements that could affect security
• SAQ B: For merchants using imprint machines or standalone terminals with no electronic cardholder data storage
• SAQ B-IP: For merchants using only standalone, PTS-approved payment terminals
• SAQ C: For merchants with payment application systems connected to the internet
• SAQ C-VT: For merchants using web-based virtual terminals
• SAQ D: For all other merchants and for service providers
• SAQ P2PE: For merchants using approved point-to-point encryption solutions

The Unique Challenge of Phone Payments

For businesses that accept payments over the phone, PCI compliance presents unique challenges, regardless of compliance level. When customers verbally provide card details:

• The entire telephone environment becomes part of the cardholder data environment (CDE)
• Call recording systems may capture sensitive authentication data, violating PCI requirements
• Agent workstations, telephony infrastructure, and network segments all fall within scope
• Physical security measures must extend to all areas where calls are handled

Descoping Strategies for Phone Payments

To address these challenges, businesses can implement technologies that keep cardholder data out of their environment entirely:

• DTMF Masking Technology: Allows customers to enter card details via their keypad with the tones masked, preventing agents from hearing or accessing the data
• Secure Payment Links: Enables agents to send customers unique payment URLs during calls, so card details are entered in a secure, compliant environment
• Tokenization Systems: Replaces sensitive card data with non-sensitive tokens for recurring transactions

Implementing these solutions can significantly reduce the scope of PCI compliance, potentially allowing merchants to qualify for simpler SAQ types regardless of their compliance level.

The Cost of Non-Compliance

Failing to meet PCI DSS requirements for your merchant level can result in:

• Financial Penalties: Fines ranging from $5,000 to $100,000 per month, depending on your merchant level and the violation severity
• Increased Transaction Fees: Card brands may impose higher processing fees on non-compliant merchants
• Mandatory Forensic Investigations: Following a breach, costly investigations by PCI-approved forensic investigators
• Brand Damage: Public disclosure of breaches can severely impact customer trust
• Termination of Processing Privileges: In severe cases, the ability to process card payments may be revoked entirely

How Paytia Simplifies Compliance Across All Levels

Regardless of your PCI compliance level, Paytia's secure payment solutions can significantly simplify your compliance obligations, particularly for phone payments:

• Complete Descoping: Our DTMF masking technology prevents cardholder data from entering your environment
• Simplified SAQ: Many clients qualify for the simpler SAQ A after implementing Paytia solutions
• Reduced Audit Scope: Fewer systems and processes to validate during compliance assessments
• Lower Compliance Costs: Less extensive security controls required for the reduced environment
• Enhanced Security: Advanced fraud detection and prevention capabilities beyond basic PCI requirements

Conclusion: Finding the Right Path to Compliance

Understanding your PCI compliance level is just the first step. The real challenge lies in implementing appropriate security measures while maintaining operational efficiency. This is particularly true for businesses accepting phone payments, where traditional approaches can lead to extensive compliance scope.

By partnering with Paytia, businesses of all sizes can navigate PCI compliance requirements more effectively, reducing both risk and cost while enhancing the customer payment experience.

Contact Paytia today to learn how our solutions can help your business achieve and maintain PCI compliance regardless of your merchant level.