What are the 4 Levels of PCI Compliance?

by Sarah Harvey / April 20th, 2020

Does your business collect, use, store, process, or transmit payment cardholder information?

If so, it’s likely that you’ve heard of the Payment Card Industry Data Security Standard, or PCI DSS. If you haven’t, the PCI DSS is a standard created by major credit card companies, such as Visa, Mastercard, Discovery, American Express, and JCB to establish specific requirements that merchants and service providers must adhere to in order to protect payment cardholder data.

This is a robust standard and ensuring PCI compliance is no small task, especially because the framework applies to companies that vary vastly in size and processing capabilities.

This is why, when first establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand the in’s and out’s of the framework, including what constitutes a merchant, what are the four PCI compliance levels, and how these four PCI DSS levels impact compliance requirements.

Let’s take a look.

What is a Merchant as Defined by PCI DSS?

The Payment Card Industry Security Standard Council (PCI SSC) defines a merchant as:

“A merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”

Does your business fall under this definition? If so, PCI compliance is required and you must determine your PCI compliance level.

The 4 PCI Compliance Levels

Because not every businesses processes the same amount of card payments per year and each has a different level of risk for data breaches and security incidents, the PCI SSC created four PCI compliance levels that are determined by the merchant type.

  • PCI Merchant Level 1: Merchants with over 6 million transactions a year, across all channels, or any merchant that has had a data breach
  • PCI Merchant Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
  • PCI Merchant Level 3: Merchants with between 20,000 and 1 million online transactions annually
  • PCI Merchant Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

How do the 4 Levels Impact PCI DSS Compliance?

Depending on which of the four levels of PCI compliance your organization falls under, your compliance journey can vary. Take the following scenarios, for example.

  • If your organization is considered a PCI Merchant Level 1, you’ll be required to undergo annual, third-party audits to verify compliance and go through an annual network scan by an approved scanning vendor (ASV). PCI Merchant Level 1 organizations must receive an annual Attestation of Compliance (AoC) as well as a Report on Compliance (RoC).
  • If your organization is considered to be a PCI Merchant Level 2, 3, or 4, you’ll need to conduct the PCI DSS Self-Assessment Questionnaire (SAQ), as well as go through quarterly network scans with an ASV.
  • If your organization is deemed a PCI Merchant Level 3 but falls victim to a data breach that impacts cardholder information, Visa can opt to penalize you by making you also responsible for meeting the requirements of another level, such as PCI Merchant Level 1.

Meeting PCI Compliance

No matter which of the 4 levels of PCI compliance your business falls into or what type of merchant you are, maintaining PCI compliance needs to be a top priority.

This is why KirkpatrickPrice developed a streamlined audit process that partners you with senior-level, expert Information Security Auditors who are QSAs that can guide you during your PCI compliance journey. Whether you are completing the full audit, have questions about figuring out how to fill out your SAQ, or if you’re looking for an expert penetration tester to perform your required quarterly scanning, we can help.

Let’s talk today about your PCI compliance goals and how we can partner together to achieve them.

More PCI  Compliance Resources

PCI Demystified Video Series

Beginner’s Guide to PCI Compliance

Overdue on New PCI Penetration Testing Requirements? What You Need to Know About PCI Requirement 11.3.4.1