What Are PCI Compliance Levels and Why Do They Matter?

What Are the Four PCI Compliance Levels?

The Payment Card Industry Data Security Standard (PCI DSS) defines four compliance levels based on the number of card transactions a merchant processes every year. These include: 

• PCI Level 1—Over six million transactions annually
• PCI Level 2—Between one and six million transactions annually
• PCI Level 3—20,000 to one million transactions annually
• PCI Level 4—Fewer than 20,000 e-commerce transactions or up to a million total transactions annually

Ian Terry, IS Partners’ Director of Cybersecurity Services, explains how PCI levels are determined, 

How To Determine Your PCI DSS Compliance Level

Your compliance level is based on the volume of credit card transactions your business processes during a 12-month period. To find out your compliance level, you have to: 

1. Calculate your annual transaction volume across all payment channels. You can contact your card payment brand or your acquiring bank to access transaction volume information. 
2. Compare that volume to PCI-level requirements. This will help you understand which compliance level you fit into.

For instance, if your annual transactions are above six million, you’ll fit into Level 1. If you’re doing less than a million transactions per year, you can go for Level 3. 

However, this is not set in stone. 

While PCI DSS is the result of a collaboration between Mastercard, Visa, American Express, JCB, and Discover, each payment card brand has its own program for compliance, validation levels, and enforcement.

Check with your payment card brand for their specific requirements. They may adjust your level based on risk factors. For example, you may see yourself going from Level 2 to Level 1, which will change your PCI compliance requirements. 

If you work with multiple card brands, you may find that your compliance level is different according to different banks. In this case, follow the PCI merchant levels with the strictest requirements to become fully compliant and avoid any security gaps. 

When asked how IS Partners’ unique approach to PCI compliance, Terry responds,

PCI Compliance Requirements for Each Level

Businesses that process a large number of credit card payments have to meet more stringent PCI requirements than those that process a lower volume of transactions.

Level 1: Over 6 Million Transactions Annually

PCI DSS Level 1 is typically for large businesses that process over six million card transactions per year, but this level can also apply to: 

• Merchants identified by card providers as requiring Level 1 compliance 
• Companies who have suffered a data breach involving cardholder data (even though they don’t process the required number of transactions)

Compliance at Level 1 requires an annual on-site audit that has to be conducted by a qualified security assessor (QSA). A QSA is an external expert who visits your business to perform a detailed audit. 

For instance, at IS Partners, our auditors begin your PCI DSS compliance audit with an on-site visit to understand your cardholder data environment, followed by a gap assessment. This helps us find vulnerabilities that could impact your PCI certification status. 

Once we’ve audited your controls, you’ll get a Report on Compliance (ROC) that describes your security policies and whether you’ve met PCI DSS requirements. This process has to be repeated every year.  

In addition, companies have to perform the following to maintain PCI DSS Level 1 compliance: 

• Quarterly network scans through an approved scanning vendor (ASV). This will help you find vulnerabilities in your computers, servers, and cloud environments
• Annual penetration testing to identify vulnerabilities
• Attestation of Compliance (AOC) form to confirm that all PCI DSS requirements have been met

Terry commented on how to ensure a smooth and efficient PCI DSS audit process for Level 1 compliance, 

Level 2: 1 to 6 Million Transactions Annually

Unlike Level 1 merchants, Level 2 businesses don’t have to undergo an on-site audit. Instead, they have to complete a self-assessment questionnaire (SAQ), which helps them understand their compliance with PCI DSS standards. 

The SAQ’s length and material depend on how your organization processes payments, how you store data, and the scope of your audit. 

Aside from that, your business will also have to: 

• Perform quarterly network scans using an ASV
• Submit an AOC form to show that you comply with PCI DSS standards

In some cases—such as following a data breach or if required by the acquiring bank—you may need to undergo an on-site PCI compliance audit and produce an annual report on compliance.

Plus, your company will also have to conduct annual penetration tests to make sure your security infrastructure can defend against cyber threats, according to PCI 11.4. You’ll also need to perform external vulnerability scans once every three months under PCI 11.3.2. 

Level 3: 20,000 to 1 Million Transactions Annually

If you belong to this level of PCI compliance, you’ll have to: 

• Complete an SAQ
• Perform a quarterly network scan to find vulnerabilities 
• Submit an AOC form to verify your compliance status

Unlike Level 2, you won’t have to perform a penetration test every few months. But since this testing can help you find gaps in compliance and vulnerabilities that hackers might exploit, it’s a recommended best practice that benefits your company. 

Note: Not all card networks, such as JCB International, recognize Level 3 PCI compliance. In fact, merchants processing less than a million JCB transactions a year are considered Level 2 merchants.

Level 4: Fewer Than 20,000 E-Commerce Transactions or up to 1 Million Total Card Transactions Annually

Level 4 is the lowest compliance level. It applies to small merchants processing fewer than 20,000 or up to one million total transactions annually. 

They also must not have experienced a data breach or cyberattack compromising cardholder data to qualify for this level.

Level 4 merchants have to meet the following compliance requirements for certification: 

• Conduct an annual SAQ 
• Conduct quarterly network scans of your network 
• Complete an AOC (not always mandatory)

It’s worth noting that the thresholds for Level 4 compliance are specifically for Visa and Mastercard transactions. Other major credit card companies, like American Express, Discover, and JCB, may set slightly different criteria for this compliance level.

Understanding Terms Related to PCI Merchant Levels

If you want to understand the compliance requirements for your level, you must know what the following terms mean:

Attestation of Compliance 

This is a declaration that confirms a merchant has met the PCI DSS requirements. It’s issued by a qualified assessor or after a self-assessment of compliance. 

The Attestation of Compliance form includes details about your company’s current compliance status, assessment methodology, and the current security measures in place. It is submitted to acquirers or payment brands and remains valid for one year.

Quarterly Network Scans

These are external vulnerability scans conducted every three months to identify cybersecurity risks in your network. They’re conducted by an approved scanning vendor certified by the PCI Security Standards Council (PCI SSC).

These scans provide two reports. The first details all vulnerabilities identified with solutions for remediation. The second is an executive summary report with a PCI-approved compliance statement. 

Self-Assessment Questionnaires 

An SAQ is a validation tool that helps SAQ-eligible merchants and service providers evaluate their compliance with PCI DSS requirements. There are multiple types of PCI DSS SAQs for various merchant scenarios. 

Each SAQ has three sections: 

1. Assessment information—It covers the eligibility criteria and instructions for a specific SAQ.
2. PCI DSS questionnaire—It includes yes-or-no questions covering PCI DSS requirements.
3. Validation and attestation—This includes your company’s AOC for that specific SAQ. 

To get an idea of what an SAQ looks like, check out this SAQ A. 

Reports of Compliance 

The ROC is a formal document produced during a PCI DSS assessment. It compares your security controls for protecting cardholder data against the Payment Card Industry Data Security Standard. 

The ROC includes the following: 

• A detailed summary of your compliance with each PCI DSS requirement 
• Testing results from system scans, configuration reviews, and interviews
• Remediation guidance for any non-compliant areas

In most cases, a qualified security assessor performs this assessment. However, internal security assessors can also perform the assessment in-house. To get an idea of what an ROC looks like, check out the official PCI ROC template. 

Penetration Testing

Penetration testing checks if a network security expert could break into systems and access sensitive data like cardholder information. It covers both external (public-facing) and internal (LAN-to-LAN) perimeters, along with cardholder data locations, network connections, and access points. 

There are three types of penetration tests:

• Black box—The tester knows nothing about the system, which helps them mimic an external attacker.
• White box—The tester is given full system details, so they can perform a thorough evaluation.
• Grey box—The tester has partial information about the system.

PCI DSS assessments typically use white-box or grey-box testing because they provide more accurate and detailed results compared to black-box testing. 

Achieve PCI Compliance at Any Level With IS Partners

PCI DSS compliance protects payment card data and reduces security risks. Businesses are classified into four levels based on transaction volume, with higher levels requiring stricter security measures. Knowing your compliance level is key to avoiding penalties and maintaining trust.

Beyond regulatory requirements, PCI compliance strengthens security, prevents breaches, and builds customer confidence. Whether you process thousands or millions of transactions, staying compliant ensures long-term protection.

At IS Partners, we help businesses simplify compliance and strengthen security. Book a free consultation today to protect your business and stay PCI-compliant.

About The Author

Jena Andrews

Jena is a senior auditor and security consultant since 2021. She is specialized in compliance management, cybersecurity, IT security, and risk management. Jena is a certified information systems auditor (CISA) and project manager.

With a decade-long history in Project Management, Jena has focused the past five years on Compliance, IT and Operations auditing, Information Security, and Cybersecurity. She has conducted a plethora of compliance audits and security assessments in accordance with standards including SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST 800-53, 800-171.

Jena is a proud B.S. graduate in Criminal Justice from West Chester University and holds esteemed CISA, PMP, and CCP certifications, further highlighting her expertise and commitment to professionalism.