Compliance requirements for PCI DSS merchant levels

Person uses credit card on online store

Oro provides content designed to educate and help audiences on their compliance journey.

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards established back in 2004 by major credit card companies like Visa, Mastercard, Discover, JCB, and American Express. 

The primary goal of these standards is to protect cardholder data and reduce the risk of data breaches and credit card fraud. To achieve this, the PCI Security Standards Council (PCI SSC) created a system called merchant levels based on the volume of credit card transactions processed by a business entity.

Understanding the significance of these levels and their role in helping your business stay secure and compliant is crucial.

Key takeaways

  • Understanding PCI DSS merchant levels and compliance requirements is essential for assessing risk and protecting customer data
  • The four merchant levels dictate the security requirements, ranging from high to very low-volume merchants and service providers.
  • Regularly implementing strong security controls, monitoring systems, and providing employee training are best practices for maintaining compliance with PCI DSS standards

The four PCI DSS merchant levels

Each level has its own set of requirements under the Payment Card Industry Data Security Standard (PCI DSS). The four merchant levels are:

Level Description
Level 1 Service providers or merchants that process over 6 million card transactions annually.
Level 2 Service providers or merchants that process 1 to 6 million transactions annually.
Level 3 Service providers or merchants that process 20,000 to 1 million transactions annually.
Level 4 Service providers or merchants that process fewer than 20,000 transactions annually.

This classification system guides businesses of all sizes to implement the appropriate security measures and minimize the risk of data breaches. Your merchant level indicates the compliance requirements that apply to your business, guiding you to achieving and maintaining PCI DSS compliance.

In addition to transaction levels, other factors may weigh into an organization’s compliance requirements. For example, organizations that have recently had a cyber-attack may be held to a higher compliance requirement.

Let’s look in greater detail at each merchant level and its compliance requirement(s).

Level 1: Over 6 million card transactions annually

Requirement: Level 1 merchants must undergo an annual PCI DSS assessment resulting in the completion of an ROC conducted by a PCI SSC-approved Qualified Security Assessor (QSA) 

Level 1 service providers or merchants process over six million card transactions annually, making them the highest volume merchants and subject to the strictest PCI DSS compliance requirements. Merchants that handle large volumes of financial transactions must conduct an annual on-site assessment. This evaluation must be completed by a PCI SSC-approved Qualified Security Assessor (QSA).

Additionally, they must submit an Annual Report on Compliance, perform quarterly external vulnerability scans by an Approved Scanning Vendor (ASV), and complete an Attestation of Compliance form.

Fulfilling these stringent requirements allows Level 1 merchants to showcase their commitment to data security and the protection of cardholder data from potential threats.

Level 2: 1 to 6 million transactions annually

Requirement: Annual Self-Assessment Questionnaire (SAQ). Level 2 merchants completing SAQ A, SAQ A-EP, or SAQ D must additionally engage a PCI SSC-approved QSA for compliance validation. Level 2 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA to complete an ROC instead of performing an SAQ.

Level 2 service providers or merchants process between one and six million card transactions annually, placing them in the medium-volume category. These merchants must complete an annual Self-Assessment Questionnaire (SAQ) as a means of self-evaluating their PCI DSS compliance.

In addition to the SAQ, Level 2 merchants are also required to conduct quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) and perform annual penetration tests to identify potential vulnerabilities in their systems. Compliance with these requirements helps Level 2 merchants maintain their security posture amidst evolving threats and ensures ongoing compliance.


Over the shoulder view of an engineer working on code
Continued Reading
Understanding PCI DSS encryption requirements

Encryption is an essential element of protecting cardholder data and staying compliant with PCI DSS.

Understanding PCI DSS Encryption Requirements in 2023 icon-arrow-long

Level 3: 20,000 to 1 million transactions annually

Requirements: Annual Self-Assessment Questionnaire (SAQ). 

Level 3 service providers or merchants process between 20,000 and one million card transactions annually, making them low-volume merchants with comparatively lower PCI DSS compliance requirements. Like Level 2 merchants, Level 3 merchants must complete an annual Self-Assessment Questionnaire (SAQ) to evaluate their compliance status.

Additionally, they are required to conduct quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) and submit an Attestation of Compliance form to validate their adherence to PCI DSS requirements. Compliance with these requirements aids Level 3 merchants in reducing the risk of data breaches.

Level 4: Fewer than 20,000 transactions annually

Requirements: Annual Self-Assessment Questionnaire (SAQ). 

Level 4 service providers or merchants handle less than 20,000 card transactions annually, placing them in the very low-volume category with the lowest level of audit requirements. While the PCI DSS requirements for Level 4 merchants are less stringent than those for higher-volume merchants, it is still crucial for these businesses to maintain PCI compliance and avoid data breaches.

The specific compliance requirements for Level 4 merchants and service providers depend on their acquiring bank but generally involve completing a Self-Assessment Questionnaire (SAQ), conducting quarterly external vulnerability scans by an Approved Scanning Vendor (ASV), and submitting an Attestation of Compliance form.

Adherence to these requirements ensures that Level 4 merchants or service providers, irrespective of their transaction volume, can safeguard cardholder data and retain customer trust.

Achieving and maintaining PCI DSS compliance

Achieving and maintaining PCI DSS compliance is an ongoing process that involves continuous assessment, implementation of security controls, and regular monitoring of your systems. This process is essential for protecting cardholder data and reducing the risk of data breaches, fines, and penalties.

The key steps to achieve and maintain PCI DSS compliance include self-assessment, on-site audits, and regular scans and tests. Ensuring compliance with these steps safeguards your customers’ sensitive payment information and strengthens their trust in your business.

Self-Assessment Questionnaires (SAQs)

Self-Assessment Questionnaires (SAQs) are validation tools provided by the PCI SSC to help eligible merchants assess their PCI DSS compliance. SAQs consist of 12 PCI DSS requirements, allowing organizations to determine whether they meet the necessary security standards.

It is crucial to choose the appropriate SAQ for your business, as each questionnaire is tailored to specific scenarios and has its own set of requirements for meeting PCI DSS standards.

Completing the relevant SAQ gives you a clear picture of your current compliance status and helps identify areas needing improvement. Here’s a breakdown of the different types:

  • SAQ A: For merchants that outsource all cardholder data functions and do not store, process, or transmit cardholder data on-site.
  • SAQ A-EP: For e-commerce merchants that outsource all payment processing and have a website that does not directly receive cardholder data but can impact the security of the transaction.
  • SAQ B: For merchants using only imprint machines or standalone, dial-out terminals and do not transmit cardholder data over a network.
  • SAQ B-IP: For merchants using standalone, IP-connected point-of-sale terminals and do not transmit cardholder data over a network.
  • SAQ C: For merchants with payment application systems connected to the internet and do not store cardholder data.
  • SAQ C-VT: For merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution.
  • SAQ D: For merchants who do not fit into any of the above categories and are thus required to complete the most comprehensive SAQ.
  • SAQ P2PE: For merchants using hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution.

On-site audits and Qualified Security Assessors (QSAs)

On-site audits are required for Level 1 merchants, as they process the highest volume of card transactions and face the most stringent PCI DSS compliance requirements. These audits are conducted by Qualified Security Assessors (QSAs), who are approved by the PCI SSC.

On-site audits involve a thorough evaluation of a merchant’s security controls, infrastructure, and policies to ensure they meet the PCI DSS requirements. Undergoing an on-site audit allows high-volume merchants to showcase their dedication to data security and ensures compliance with PCI DSS.

Quarterly external vulnerability scans and annual penetration tests

Regularly monitoring and testing your systems is an essential component of achieving and maintaining PCI DSS compliance. Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV),” helps identify potential vulnerabilities in your external infrastructure and should be performed by an Approved Scanning Vendor (ASV).

Annual penetration tests, on the other hand, assess the effectiveness of your security controls by simulating potential cyber attacks on your systems. Conducting quarterly network scans and annual penetration tests verifies the effectiveness of your up-to-date security measures in protecting cardholder data from unauthorized access and breaches.


Share this post with your network:

LinkedIn