What Are The PCI DSS Merchant Compliance Levels?

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.00)

PCI DSS, more formally known as the Payment Card Industry Data Security Standards, serves as the compliance framework that regulates companies accepting payment cards. It’s a common-sense regulation that basically mandates businesses follow certain security best practices in order to safeguard the sensitive information they collect. It’s what governs all organizations that take payment cards, but there’s more to it than just whether or not you’re compliant. PCO DSS also has levels that determine how merchants are categorized depending on the number of transactions that they handle annually.

One of the questions we get asked all the time is what the various PCI levels are and which one you may fall under. It’s a point of consternation that doesn’t need to be. That’s actually pretty standard when it comes to compliance issues; companies often look at the stakes and figure the requirements must be difficult to comply with — but they’re actually not that complicated when it comes to PCI DSS. It’s all very straightforward.

All PCI organizations are expected to uphold 12 basic requirements:

  1. Install and maintain a firewall.
  2. Change passwords and usernames from vendor defaults.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data.
  5. Use antivirus software and upgrade it regularly.
  6. Developer and maintain secure systems/applications.
  7. Restrict access to data on a need-to-know basis.
  8. Assign everyone with network access a unique ID.
  9. Restrict physical access to data.
  10. Track and monitor all access to network data.
  11. Regularly scan security systems and processes.
  12. Maintain a policy that addresses security.

None of those is particularly challenging, with the scanning requirement being the only real point of confusion for many organizations. One thing that’s less understood than the requirements, though, are the various PCI levels.

The 4 PCI DSS Security Compliance Levels

There are four PCI compliance levels in total, and they dictate the amount of assessment and validation an organization will need to be considered compliant. They are broken down by the number of transactions processed per year and are supposed to give the payment card industry — namely the big credit card companies — an idea about risks associated with an entity.

Rather nonintuitively, the levels lessen as the numbers increase, with one being the most stringent and four being the least. We guess it’s kind of like the U.S.’s DEFCON (defense readiness condition) scale levels for nuclear war — DEFCON 5 being the least severe risk and DEFCON 1 being the most serious.

Level 1 > 6,000,000 transactions per year; OR any merchant that’s had a data breach
Level 2 Between 6,000,000-1,000,000 online transactions per year
Level 3 Between 1,000,000-20,000 online transactions per year
Level 4 > 20,000 online transactions or 1,000,000 regular transactions per year

What Is Required For Each Of The PCI Compliance Levels?

Here are the requirements for each level in terms of the validation that will be needed.

  • Level 1 – Complete Annual Self-Assessment and undergo quarterly scanning by an ASV. Also required to have annual on-site data security assessments.
  • Level 2 – Complete Annual Self-Assessment and undergo quarterly scanning by an ASV.
  • Level 3 – Complete Annual Self-Assessment and undergo quarterly scanning by an ASV.
  • Level 4 – Complete Annual Self-Assessment and undergo quarterly scanning by an ASV.

Not all Level 4s are required to perform all PCI DSS validations, it depends based on the organization’s acquiring bank. All other levels are required to submit regular reports to their acquiring bank to ensure they maintain compliance.

Failing to abide these standards can lead to monthly fines between $5,000-$100,000 in addition to other legal liabilities.

Get Your PCI Compliance Scanning Done

Do you need help with requirement 11 or the general scanning portion of the PCI DSS compliance requirements ? Comodo CA/Sectigo HackerGuardian can be purchased for as little as $81.90 per year (down from $249.99 MSRP).

Not only does it fulfill the scanning requirement, but it also generates ready-to-submit reports. With this reporting automation for PCO DSS, all you have to do is actually submit it. The best part? It’s significantly cheaper than the closest competition!

67% Off Approved PCI Scanning

Scan Now