Skip to content

    PCI Compliance Levels: Know Your Level of PCI Compliance

    PCI Compliance Levels: Know Your Level of PCI Compliance
    Picture of Basis Theory ·
    PCI Compliance

    Understanding the different PCI compliance levels is the first step to reducing the challenges they might bring to your organization.

    PCI compliance levels are set by the PCI Security Standards Council (PCI SSC). These levels bucket organizations according to the risk the business poses to cardholders and the larger financial ecosystem. The higher volume of transactions you process, the bigger target you are for cybercriminals and the more risk you pose to banks, merchants, processors, etc. By bucketing merchants by levels of PCI compliance, the PCI SSC hopes to right-size the amount of compliance burden to a merchant's size and risk. 

    This impacts the merchant’s attestation, or the process of demonstrating and documenting PCI compliance.

    If you store, process, or transmit credit card data, you must satisfy all PCI requirements. However, most businesses today use service providers, like a full-service PSP or Basis Theory, to help meet the 12 PCI requirements. These vendors' infrastructure and offerings are already PCI compliant and help keep their customers' systems out of PCI scope. 

    That said, regardless of whether you build or buy your PCI environment, you'll be required to attest to your compliance. That's where PCI compliance levels also matter.

    What are the different PCI compliance levels? 

    There are four PCI compliance levels under PCI DSS 4.0. The level of a merchant is determined by the aggregate number of Visa transactions it processes across all of its “Doing Business As” (DBA) accounts.

    • Level 1: Merchants that process more than 6 million transactions per year.
    • Level 2: Merchants that process between 1 and 6 million transactions per year.
    • Level 3: Merchants that process between 20,000 and 1 million transactions per year.
    • Level 4: Merchants that process fewer than 20,000 transactions per year.

    Each PCI compliance level comes with its own cost. In reality, the transaction thresholds for merchant levels vary slightly from card brand to card brand. The numbers referenced in this blog reflect the industry’s generic attempt to make levels easier to communicate.

    To determine your level of PCI compliance, you should use historical transactions. If you lack volume, you may also use projected volume.

    If you’ve had a security incident or operate in a high-risk industry, you may be placed in a lower level (higher burden) than your volumes might imply. Ask your acquirer if you're not sure which level of PCI you are.

    What to Know About PCI Level 1

    PCI Level 1 represents the highest burden to an organization. It is the most thorough, expensive, and time-consuming of all the levels of PCI compliance.

    • Number of Transactions: Over 6 million transactions each year.
    • Vulnerability Tests: Both your quarterly network scans and an external penetration test of your systems.
    • Assessor: Qualified Security Assessor (QSA)
    • Assessment Method: Report on Compliance will assess your environment against each of the 339 PCI DSS requirements.

    Cost to Become PCI Level 1

    PCI level 1 merchant requirements are far more prescriptive than the other levels and, thus, easier to predict. The following estimates reflect the typical time and cost of an in-house cardholder environment; however, certain service providers, like Basis Theory, may be able to reduce these costs by as much as up to 90%.

    • Time to Build: Most estimates put building a PCI-compliant environment in the range of 4-7 months. 
    • Time to Certify: Preparing for an on-site assessment by a QSA can take months, but the time from starting an assessment to getting your ROC is typically around 4-8 weeks. Any findings found in your ROC must be addressed before you close out your attestation for the year. This can increase timelines.

    The costs to become certified as PCI DSS level 1 varies significantly depending on the number of people, places, and things that touch cardholder data.

    • Quarterly Network Scans: $500-$5,000 per year
    • Penetration Test: $5,000 to $20,000 per year
    • Assessment: $20,000 to $75,000 per year

    Return to Top

    What to Know About PCI Level 2

    Level 2 merchants are often challenged by acquirers to fulfill Level 1 requirements. This makes this level notoriously hard to predict. As always, consult a QSA or acquirer if you have questions.

    • Number of Transactions: between 1 and 6 million
    • Vulnerability Tests: Quarterly network scans by an Approved Scanning Vendor (unless a service provider is used)
    • Assessor: Self-assess, QSA or ISA
    • Assessment Method: SAQ (your acquirer or payment service provider may require a ROC)

    What to Know About PCI Level 3

    • Number of Transactions: Between 20,000 and 1 million transactions
    • Vulnerability Tests: Quarterly network scans by an Approved Scanning Vendor (unless a service provider is used)
    • Assessor: Self-assess
    • Assessment Method: SAQ

    What to Know About PCI Level 4

    • Number of Transactions: fewer than 20,000 transactions
    • Vulnerability Tests: Quarterly network scans by an Approved Scanning Vendor (unless a service provider is used)
    • Assessor: Self-assess
    • Assessment Method: SAQ

    Return to Top

    The Impact to Merchants 

    It’s probably more helpful to think of merchant levels less as a “level of security” you must have (because, again, all merchants must meet PCI's security requirements) and more as the level of effort required to prove compliance and security.

    The PCI DSS compliance levels shape your company's PCI DSS program and attestation effort in three primary ways:

    Testing for Vulnerabilities

    While your controls protect your system, the PCI SSC wants to know how well it's working. There are two methods—which one is required depends on your level.

    • Quarterly network scan by an Approved Scanning Vendor (ASV).
    • Penetration test of your system conducted by an external party.

    Assessing Your Compliance

    You'll need to "attest" to your compliance by having your existing system validated. Who can or must assess that depends primarily on your merchant level.

    • Self-assessment is an appropriate internal stakeholder familiar with your implementation.
    • Qualified Security Assessor (QSA) is an external independent third party brought in to audit and validate.
    • Internal Security Assessor (ISA) is more common in large enterprises that conduct assessments and liaise with external assessors.

    The Method and Length of Assessment

    A PCI DSS assessment is essentially a checklist of questions you must answer and evidence you must provide to your acquirer. The more requirements you're asked to validate, the more work you have in front of you.

    • Self-Assessment Questionnaire (SAQ) is completed by a self-assessor or ISA: There are 9 different SAQs, ranging from 22 questions (SAQ A) to 339 (SAQ D). Make sure you select the right SAQ.
    • Report on Compliance (ROC) is completed by a QSA. It's a thorough assessment against all PCI DSS requirements.

    While you cannot change your level, PCI SSC does allow you to use services and technologies that can significantly reduce the burden of your requirements and, with over 300 requirements, your goal should be to decrease that number as much as possible.

    For example, if you use a token orchestration provider like Basis Theory to secure your cardholder information, you can skip the quarterly vulnerability scans, self-assess yourself, and use the shortest assessment method (SAQ A with 22 questions). 

    Return to Top

    FAQs About PCI Compliance Levels

    Should I use historical or projected volume to identify my merchant level? 

    Use historical transaction volume if you have it, but if you don't, use projected volume to identify your level of PCI compliance.

    Where can I find resources about PCI DSS compliance merchant levels?

    You can find resources about PCI DSS compliance merchant levels on the PCI Security Standards Council website (https://www.pcisecuritystandards.org/) and on the websites of PCI DSS-approved assessors.

    What’s the difference between PCI DSS merchant levels and service provider levels?

    A merchant is a company that accepts credit card payments as a form of payment from customers. A service provider is a business entity involved in the storage, processing and transmission of data from cardholders. Due to the nature of these two entities, PCI has developed separate requirements for each. 

    What happens if I assess at the wrong level?

    If you assess at a lower level than you should, you may not be fully compliant with the PCI DSS requirements, which could result in fines or worse, data breaches. If you assess at a higher level than you should, you may be wasting resources and money on unnecessary compliance measures.

    What are some ways to change my PCI DSS merchant level?

    Only your acquirer can change your merchant level.

    However, you can significantly reduce the time, money, and impact of your level’s requirements on your organization by reducing the number of people, places, and things that are exposed to cardholder data. Using token orchestration platforms, like Basis Theory or specific PSPs, you reduce the effort to become and stay PCI compliant by as much as 95%—without losing capabilities or interrupting existing operations.

    Can I assess at a higher PCI DSS merchant level, even if I don’t have to?

    Yes, you can assess at a higher PCI DSS merchant level if you choose to do so, but it may result in additional compliance requirements and costs that may not be necessary for your business.

    Return to Top

    De-Risk Payments. De-Scope Compliance.   Accelerate time-to-compliance and eliminate nearly 90% of the PCI DSS Level 1 requirements using Basis theory.  

    Stay Connected

    Receive the latest updates straight to your inbox