Payment Hub

Introduction to PCI DSS Compliance Levels

June 13, 2022  |  5 min read

The 4 PCI DSS Compliance Levels

The PCI DSS (Payment Card Industry Data Security Standard) is a set of standards designed to assist organizations in preventing payment data breaches and fraud.

However, the same standards don’t apply uniformly across the board—instead, there are 4 distinct PCI compliance levels depending on the number of transactions handled each year by the business.

  • PCI Level 1 – Merchants who process over 6 million card transactions annually.
  • PCI Level 2 – Merchants who process 1 to 6 million transactions annually.
  • PCI Level 3 – Merchants who process 20,000 to 1 million transactions annually.
  • PCI Level 4 – Merchants who process fewer than 20,000 transactions annually.
Note – Levels May Vary

These levels may vary somewhat depending on the specifications of each card company, but these are a good general guideline.

PCI DSS Compliance Strategy

PCI DSS compliance is achieved by following the guidelines of the PCI SSC (Security Standards Council). The PCI DSS is the product of collaboration among leading card companies (American Express, Discover, JCB, Mastercard, and Visa), with transaction processes supervised by the PCI SSC.

The goal is to make sure that card transactions are secure. To do that, you’ll first need to complete an assessment based on your level.

Then, no matter your level, you’ll have a quarterly network scan done by an ASV (approved scanning vendor) and fill out the AOC (Attestation of Compliance) form.

PCI Level 1 Requirements

Businesses that meet the requirements for Level 1 PCI DSS compliance (with more than 6 million annual transactions) must have an annual RoC (Report on Compliance) done by a QSA (qualified security assessor) or an ISA (internal security assessor).

pci level 1 assessment

The ISA can be a member of your team who has been trained to perform the assessment and act as a contact to external auditors. The QSA is an external auditor who goes on-site to conduct the assessment.

After completing the RoC, the auditor will submit it to the business’s acquiring banks.

Additionally, Level 1 businesses need an annual penetration test, which tests your infrastructure for possible security vulnerabilities.

Recap – PCI Level 1

Level 1 compliance means that a QSA submits an annual RoC to acquiring banks. It also includes annual penetration tests and the quarterly network scan and AOC form.

PCI Level 2 Requirements

PCI Level 2 businesses or merchants (that complete 1 to 6 million transactions annually) must complete an annual SAQ (Self-Assessment Questionnaire). The type of SAQ you’ll do depends on the specifications of your business (more on SAQs later).

Then of course, PCI Level 2 merchants must still complete a quarterly network scan by an ASV and the AOC form.

PCI Level 3 Requirements

Merchants that complete 20,000 to 1 million transactions annually are considered Level 3. They must also complete the appropriate yearly PCI SAQ, network scans, and AOC form to be PCI DSS compliant.

pci level 3

PCI Level 4 Requirements

PCI Level 4 businesses are those who complete less than 20,000 transactions per year. These businesses must complete the appropriate SAQ each year, network security scan by an ASV each quarter, and the AOC form.

Recap – PCI Levels 2, 3, and 4

Merchants that are Level 2-4 must complete the correct annual SAQs, quarterly network scan from an ASV, and the AOC form to be PCI DSS compliant.

Types of Self-Assessment Questionnaires

There are different types of PCI DSS SAQs and it’s up to you to determine which ones your business needs based on how you handle card information. It's important to get the correct SAQ since each one has restrictions based on how payment card data (also called cardholder data) is handled. Here are some guidelines to help you choose.

types of PCI SAQs

SAQs that Apply to eCommerce Activities

These SAQs are for eCommerce merchants who don’t have any card data storage, processing, or transmission capabilities and who outsource these functions to a third party:

  • SAQ A – For card-not-present (eCommerce, mail, and telephone order) merchants that fully outsource all cardholder data functions to a PCI DSS validated third-party service provider.
  • SAQ A-EP – Applies to eCommerce merchants who have a website that doesn’t directly receive card data and that outsources payment processing to PCI DSS validated third parties.

These SAQs are for merchants who may store card data electronically as they don’t outsource credit card processing or use a P2PE solution:

  • SAQ D for Merchants – For all other merchants not included in other SAQ types.
  • SAQ D for Service Providers – For service providers deemed eligible by a payment card brand to complete an SAQ.
Recap – SAQ A and SAQ A-EP

Apply to eCommerce businesses that outsource credit card processing to third-party service providers.

Recap – SAQ D for Merchants

Applies to merchants who process card payment data on their own websites and who may electronically store card data on their systems.

SAQs for Non-eCommerce Activities

These SAQs are for brick-and-mortar merchants who do not electronically store any cardholder data in their systems:

  • SAQ B – For merchants using only imprint machines and/or standalone, dial-out terminals.
  • SAQ B-IP – Applicable to merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor.
  • SAQ C-VT – Applies to merchants who manually enter transactions into a PCI third-party hosted virtual terminal via a specific computer dedicated to card processing.
  • SAQ C – Applies to merchants with payment application systems connected to the internet. For example, a mobile device with a card processing application or swipe device.
  • SAQ P2PE – For merchants who use point-to-point encryption (P2PE) devices to manage hardware payment terminals.
Recap – SAQ B, B-IP, C-VT, C, P2PE

These SAQs are for merchants who use specific physical devices to connect to third-party payment processors.

Lorem ipsum dolorem

PCI Compliant Payment Hub

Clarity Payment Hub™ has a PCI DSS compliant wallet and a virtual terminal you can access from any device. If you’d like to learn more, we’ll be happy to talk with you. We also offer a free discovery session with our experts to help you determine the best solution for your business. It can’t hurt, so why not give it a try?

Related Posts

Autumn Spriggle is a Content Writer at Clarity Ventures with experience in research and content design. She stays up to date with the latest trends in the tech industry so she can write content to help people like you realize the full potential for their business.