Strike Graph security compliance blog

PCI DSS levels 101: requirements, examples & starter kit

Written by Kenneth Webb, CISSP, GWAPT, CSSLP, CISA, CIS LA | Nov 28, 2023 8:00:00 AM

PCI DSS levels for merchants & service providers: requirements, examples & starter kit

Whether a business runs ten credit cards or 10 million, PCI DSS rules will apply. Explore the different levels and requirements for PCI merchants and service providers. Also, learn about the newest v4.0 changes and get expert tips on how to prepare.

What are the PCI DSS compliance levels?

PCI DSS, or the Payment Card Industry Data Security Standard, categorizes businesses into compliance levels. The company’s number of transactions determines its level. Merchants have four possible levels, while service providers have only two. 

“The PCI DSS compliance framework exists to maintain the integrity of credit card transactions and protect sensitive cardholder data,” says Michelle Strickler, Information Security and Data Privacy Compliance Strategist at Strike Graph. Strickler is a passionate advocate for a risk-based approach to IT compliance and has over 15 years of experience in governance, risk, and compliance.  

“It adopts a risk-based approach to safeguard sensitive cardholder data through various measures like firewalls and encryption, to name a few,” Stricker says. “To work with major cardholders like Visa and Mastercard, organizations must demonstrate their compliance by implementing these controls within a broader security framework outlined by the PCI Security Standards Council.”

Caption: Michelle Strickler, Information Security and Data Privacy Compliance Strategist

PCI DSS classifies compliance requirements based on the volume of credit card transactions processed annually by organizations. The PCI Security Standards Council (PCI SSC) establishes these levels to ensure that an organization's scale matches its level of compliance. 

For example, larger entities inherently face greater risks, as a breach could impact more individuals than a breach at a smaller organization. Consequently, larger organizations must implement more rigorous measures to safeguard cardholder data and adhere to PCI DSS requirements. Every organization that needs to adhere to PCI requirements is also subject to a PCI audit at any time. 

"It's not a legal requirement to comply with PCI DSS," explains Stephen Ferrell, CISA CRISC, and Chief Strategy Officer at Strike Graph, with over 20 years of experience in regulated IT compliance. "However, any entity looking to partner with major credit card companies that require PCI DSS, like Visa or American Express, must show that they’re compliant with the PCI framework.” 

Caption: Stephen Ferrell, CISA, CRISC, and Chief Strategy Officer

Whatever your level, every organization must adhere to 12 core PCI DSS requirements. "The compliance framework remains consistent; it's the controls and evidence that vary with each level," explains Ferrell.

Many PCI requirements overlap with other standards, like SOC 2, but it is important to engage with a compliance expert to understand your specific needs.

Overall, the structured PCI DSS approach ensures that all entities, regardless of size, can safeguard cardholder data and maintain trust with their customers and partners.

Key takeaways:

  • PCI uses four compliance levels for merchants and two for service providers, with standards becoming tougher as transaction volume increases.
  • In PCI standards, “merchants” directly accept credit card transactions for a service or product, whereas “service providers” process, transmit, or store transactions on behalf of a merchant.
  • Level 1 merchants and Level 1 service providers deal with the highest volume of credit card transactions and must have a third-party assessor conduct an on-site compliance assessment.
  • The new PCI DSS v4.0 introduces 64 additional requirements and a customized approach that offers organizations more flexibility in meeting PCI DSS compliance.
  • Compliance management software can ensure 100% compliance with your PCI DSS level and other frameworks such as SOC 2 or ISO.

 

PCI DSS merchant vs. service provider 

PCI DISS distinguishes between “merchants” and “service providers.” Merchants are businesses that accept credit cards for a product or service. Service providers process, transmit, or store card information on behalf of merchants. Organizations can fall into both categories.

According to PCI DSS guidelines, organizations must determine whether they are a “merchant” or a “service provider.” This distinction can be confusing for many.

“There are three types of entities who need to engage with PCI DSS requirements,” says Ferrell. “Merchants, service providers, and organizations who play both roles. A merchant is an entity that sells services or products and accepts credit card payments. In contrast, a service provider processes or stores this information on behalf of a merchant.”

Ferrell gives this example: “A web domain provider like GoDaddy functions as both a merchant and a service provider. They accept credit card payments for their services (merchant) and can also provide e-commerce solutions that handle payment transactions for other merchants (service provider).”

Greig Robertson, Senior Advising Consultant at Compliance Path, adds: “From a compliance perspective, an entity that functions as both a service provider and a merchant must address the requirements and validation processes for both roles to ensure comprehensive compliance and protection of cardholder data.” Robertson is a Senior IT Governance Specialist with over ten years of experience in compliance standards, including ISO 27001, SOC 2, ISO 9001, ISO 22301 and PCI-DSS.
Caption: Greig Robertson, Senior Advising Consultant at Compliance Path

PCI DSS classifies merchants into four levels according to their annual credit card transaction volume. Service providers fall into one of two levels, considering their transaction volume and significance within the payment ecosystem.

 

PCI DSS compliance Level 1 merchant

PCI DSS Level 1 merchants are large national or international organizations that handle over six million transactions annually. They face the toughest standards. They need a qualified security advisor to conduct an on-site assessment and adhere to stringent protocols.

Here's an in-depth look at Level 1 merchants, including qualification criteria, requirements, and examples:

  • Who qualifies as a Level 1 merchant?
    • Merchants that process over six million credit card transactions annually for any of the major card brands that use PCI DSS, including Visa, MasterCard, American Express, Discover, and JCB.
    • Any merchant that any PCI card brands place into Level 1, even if they don’t process over six million transactions. A payment brand may make this decision if it determines the organization has risk factors that merit Level 1 standards. 
  • Major requirements
    • Annual report on compliance (ROC)
      "The major difference between Level 1 merchants and merchants in lower levels is that Level 1 merchants have to engage a qualified security assessor to complete an exhaustive, on-site compliance assessment,” explains Robertson.


      Specifically, every Level 1 merchant must engage a qualified security assessor (QSA) or a PCI SSC Internal Security Assessor (ISA) to complete a Report of Compliance (ROC) that validates the organization's PCI DSS compliance. 
    • Quarterly network scans
      Level 1 merchants must conduct quarterly network scans by an approved scanning vendor (ASV) to detect and address any vulnerabilities in their network infrastructure.
Examples:

Given the substantial transaction volumes, Level 1 merchants are typically large companies with a national or international presence. Here are two examples:

  • Walmart: As a leading national retailer, Walmart handles thousands of e-commerce and in-store transactions daily, squarely placing it in the Level 1 merchant category.
  • Lidl: As one of Europe’s largest supermarket chains, Lidl spans multiple countries and processes millions of credit card transactions annually, subject to Level 1 PCI DSS standards.

PCI DSS compliance Level 2 merchant

Level 2 merchants process one to six million credit card transactions annually. They are significant retailers but not as high-volume as Level 1 merchants. Level 2 merchants complete an annual self-assessment, quarterly network scans, and an annual attestation of compliance.

"Level 2 merchants are typically mid-sized retailers processing between one and six million transactions," explains Robertson. "While they face stringent requirements, they aren't as extensive as Level 1 standards. One key distinction is that Level 2 merchants can complete a self-assessment questionnaire, whereas Level 1 merchants need to enlist a QSA to fill out a report on compliance and conduct an on-site assessment.”

Here's an in-depth look at Level 2 merchants, including qualification criteria, requirements, and examples:

  • Who qualifies as a Level 2 merchant?
    Merchants processing between one and six million card transactions annually across any credit card company using PCI DSS.
  • Requirements
    • Annual self-assessment questionnaire (SAQ)
      Level 2 merchants can complete a self-assessment questionnaire (SAQ) instead of undergoing an on-site assessment by a QSA like Level 1 merchants need to do. This SAQ is a self-evaluation survey that tests whether the merchant is adhering to its specific PCI DSS requirements.

      “Understanding PCI compliance can be quite confusing when we dive into the eight types of SAQs,” explains Robertson, a seasoned expert in the field. "Each SAQ type corresponds to how an organization handles cardholder data. Every organization will need to identify which SAQ best fits their specific circumstances.”

      The new PCI DSS v4.0 includes nine types of SAQs. Merchants must select and complete the correct SAQ based on how they process, store, or transmit cardholder data. The PCI Security Standards Council includes detailed definitions of each SAQ on its website.

    • Quarterly network scans with an approved security vendor (ASV)
      Quarterly network scans identify and mitigate vulnerabilities in their merchant’s networks. Like a Level 1 merchant, a Level 2 merchant must complete these scans quarterly with an ASV.
    • Annual attestation of compliance (AOC)
      A senior executive must submit a formal declaration attesting that the merchant complies with its PCI DSS requirements. They submit the AOC to the acquiring bank and any relevant payment brands the retailer engages with.
    • Penetration test
      Level 2 merchants must also perform simulated penetration testing to assess the effectiveness of their controls against an external or internal breach.
    • Additional security measures
      Although the SAQ is less intensive than the Level 1 on-site ROC, Level 2 merchants must still comply with robust security practices to meet the 12 PCI DSS requirements. For example, they need strong access control measures, regular monitoring, and regular maintenance of secure systems and applications.
Examples
Level 2 merchants are usually regional, mid-size retail stores that may operate multiple locations but don’t reach the volume of major national chains. Here are typical examples of the types of retailers and organizations that may be Level 2 merchants:  
  • E-commerce sites
    Specialized online stores or medium-sized online marketplaces may be Level 2 merchants. For example, a mid-sized online clothing retailer with an e-commerce platform that processes one to six million transactions yearly will be a Level 2 merchant.
  • Specialty retail chain or retailer
    A chain of stores with a regional presence may be a Level 2 merchant. An example is a clothing or electronics store that processes one million to six million transactions annually. 



 

PCI DSS compliance Level 3 merchant

Level 3 merchants process between 20,000 and one million credit card transactions annually. They have similar requirements to a Level 2 merchant: They must complete a self-assessment questionnaire, conduct quarterly network scans, and more. They’re usually e-commerce stores.

"Level 2 and Level 3 merchants don't differ significantly in core security standards," explains Robertson. "The primary difference is transaction volume and the inherent increase in security complexity that comes with more transaction volume. Level 2 merchants, with higher volumes, might face a greater risk profile and more complex systems, potentially requiring more extensive efforts to demonstrate compliance."

Here's an in-depth look at Level 3 merchants, including qualification criteria, requirements, and examples:

  • Who qualifies as a Level 3 merchant?
    Any merchant that processes between 20,000 to one million transactions annually. Visa specifically defines these as e-commerce transactions for their card. 
  • Requirements
    • Self-assessment questionnaire (SAQ)
      Level 3 merchants must complete an SAQ to self-evaluate their PCI DSS compliance.
    • Quarterly network scans
      Level 3 merchants, like Level 1 and 2 merchants, must conduct quarterly network scans by an approved scanning vendor (ASV) to identify and address vulnerabilities.
    • Annual attestation of compliance (AOC)
      A senior executive needs to sign an annual attestation of compliance declaring that their company follows PCI DSS requirements.
    • Additional security measures
      Level 3 merchants must still comply with robust security practices to meet the 12 PCI DSS requirements. For example, they need strong access control measures, regular monitoring, and regular maintenance of secure systems and applications.
Example
  • Small to mid-sized e-commerce websites
    Online stores with moderate transactions between 20,000 and 1 million, such as a niche marketplace or a specialized retailer, qualify as Level 3 merchants.

PCI DSS compliance Level 4 merchant

A PCI DSS Level 4 merchant processes fewer than 20,000 e-commerce transactions annually or handles up to 1 million total Visa transactions. These merchants face the least stringent requirements and are often small local businesses or online shops.

"Level 4 merchants are your local retailers or small online shops that don’t handle too many transactions," describes Ferrell. "A lot of these retailers may not even be aware of PCI DSS because many of them use third-party providers like PayPal or Stripe to handle their transactions. Still, they technically need to comply with Level 4 requirements.”

Here's an in-depth look at Level 4 merchants, including qualification criteria, requirements, and examples:

  • Who qualifies as a Level 4 merchant?
    • Merchants that process fewer than 20,000 transactions annually for most credit card companies.
    • Visa's criteria include merchants processing up to one million Visa transactions annually (combined e-commerce and in-person).
  • Requirements
    • Self-assessment questionnaire (SAQ)
      Level 4 merchants must complete an SAQ to self-evaluate compliance with PCI DSS requirements.
    • May require quarterly network scan and annual attestation
      Some Level 4 merchants may also need to conduct quarterly network scans and submit an annual attestation of compliance. The specific requirements depend on the acquiring bank or the bank processing credit payments on behalf of the merchant.

      It’s important to check your specific requirements with a compliance expert or your acquiring bank.
Examples

Most Level 4 merchants are small e-commerce websites that process a small volume of transactions or small, brick-and-mortar stores that also handle less than 20,000 transactions or fewer than 1 million combined e-commerce and in-person transactions for Visa.

PCI DSS Level 1 applies to service providers that handle 300,000 credit card transactions or more annually. These providers face the most rigorous standards, such as an on-site assessment, quarterly network scans, and more. Many large payment processing apps or other payment gateways are Level 1 service providers.

“In general, PCI DSS requirements for service providers are more comprehensive than even Level 1 merchants,” says Ferrell. “That’s because service providers have the potential to impact the payment card ecosystem more broadly because they handle transactions for multiple merchants across many industries. They also have access to more sensitive cardholder data, meaning a breach could compromise data from numerous businesses.”

Here's an overview of the PCI DSS Service Provider Level 1, including criteria and major requirements.

  • Who qualifies as a Level 1 service provider?
    • Any service provider handling over 300,000 transactions annually.
    • Any service provider deemed particularly significant or vulnerable by a card brand.
  • Requirements
    • On-site assessment and annual report on compliance (ROC)
      Like Level 1 merchants, Level 1 service providers need an on-site assessment from a qualified security assessor (QSA).
    • Quarterly network scans
      Level 1 service providers must conduct a quarterly network scan from an approved scanning vendor (ASV) to identify and address vulnerabilities.
    • Attestation of compliance (AOC) form 
      A senior executive must sign and submit an AOC to affirm that the organization follows PCI DSS.
    • Additional reporting and security requirements
      Like merchants, service providers must conform to the 12 PCI RSS requirements. Within these 12 categories, they have additional responsibilities specific to service providers, such as reporting, documentation, and ensuring their merchants comply with PCI DSS.
Examples
  • Major payment processing apps
    Many third-party payment processing apps, such as PayPal, Venmo, and Stripe, process more than 300,000 credit card transactions yearly on behalf of merchants worldwide.
  • Amazon Web Services (AWS)
    As a cloud service provider processing millions of transactions daily, AWS falls under PCI Level 1. They undergo an annual on-site assessment by a QSA, conduct regular internal reviews, and submit quarterly network scans and annual penetration test reports. AWS provides public-facing evidence of their PCI DSS Level 1 Service Provider certification. 

PCI DSS service provider Level 2

A PCI DSS Level 2 service provider handles fewer than 300,000 credit card transactions per year on behalf of merchants. Although Level 2 is the least rigorous service provider level, it still includes stringent requirements, like quarterly network scans and an annual self-assessment questionnaire.

Here's an overview of the PCI DSS Service Provider Level 2, including criteria and major requirements:

  • Who qualifies as a Level 2 service provider?
    Any service provider that stores, processes, or transmits fewer than 300,000 credit card transactions per year.
  • Requirements:
    • Annual self-assessment questionnaire (SAQ)
      Level 2 service providers must complete an SAQ specific to service providers to evaluate their compliance with PCI DSS.
    • Quarterly network scans
      Like Level 1 service providers, Level 2 service providers must conduct quarterly network scans by an Approved Scanning Vendor (ASV) to identify and address vulnerabilities.
    • Attestation of compliance (AOC)
      The organization must submit an AOC to the service provider, following PCI DSS requirements.
Examples of Level 2 service providers
  • Small payment gateways
    A payment gateway handling transactions for a niche market, processing fewer than 300,000 transactions per year, would be a Level 2 service provider.
  • Regional web hosting
    A regional web hosting company that offers e-commerce solutions to local businesses and processes less than 300,000 transactions annually would be a Level 2 service provider.

PCI compliance requirements are updated every three years to keep pace with evolving threats and technology. PCI DSS v4.0 introduces several changes. First, it offers new, flexible ways for entities to demonstrate compliance. It also introduces updated security requirements, especially for multi-factor authentication.

The PCI Security Standards Council (PCI SSC) published the updated PCI DSS v4.0 standards in March 2022. While companies must adhere to certain mandates beginning in March 2024, they have until March 2025 to comply with most changes.

Here's a high-level overview of the major changes in PCI DSS 4.0. 

  • The “customized approach”
    “One of the most important changes in v4.0 is that the PCI SSC gives organizations more flexibility in selecting which controls and evidence they can use to demonstrate compliance,” says Ferrell. "With the introduction of this 'customized approach,' organizations now have the liberty to implement their own controls to fulfill security objectives, rather than being obligated to adhere to specific controls mandated by the PCI SSC.”

    This system contrasts with the traditional "defined approach," which outlines specific controls organizations must use. The customized approach is a direct response to organizations that asked the PCI DSS to use new or innovative technologies as controls.

  • Sixty-four new or updated requirements 
    PCI DSS v4.0 introduces 64 new requirements. Organizations must comply with 13 of these requirements after March 2024 for all v4.0 assessments. The remaining 51 are "best practices" until March 31, 2025, after which they become mandatory.

    "Many of these new requirements mostly focus on strengthening security around multi-factor authentication,” notes Ferrell. Additional changes include revised password policies, enhanced measures against phishing attacks, encryption of sensitive authentication data (SAD), new PIN transaction security (PTS) requirements, and improved security for remote-access technologies.
  • Updated self-assessment questionnaire (SAQ) and report on compliance (ROC)
    The updated requirements ask for more detail in the SAQ (for Level 2, 3, and 4 merchants and Level 2 service providers) and the ROC (for Level 1 merchants and Level 1 service providers). Organizations will need to budget more time and resources to complete their assessments.

 

Updates to the 12 core requirements

While the 12 core PCI requirements remain the same, the intent and content of some sub-requirements have been updated to address evolving threats and technological changes. You can learn more about the 12 core requirements and sub-requirements in our new PCI DSS v4.0 requirements article.

PCI DSS compliance level FAQs

Discover answers to common questions about PCI DSS compliance levels. Learn how to determine your validation level and explore why PCI compliance matters. Our experts address these and other key questions to help you better understand PCI DSS requirements.

How do you validate your PCI compliance level?

To validate your PCI compliance level, submit your self-assessment questionnaire or report on compliance to your acquiring bank or credit card payment brand. They’ll require additional evidence of compliance. Partnering with leading compliance software and experts can help ensure you're fully compliant.

How do you maintain your PCI compliance by level?

Maintaining PCI compliance begins by identifying your merchant or service provider status and level. Level 1 entities face the most stringent requirements. Research your level's specific requirements and consult a compliance expert to ensure you’re meeting PCI DSS standards.

Why does PCI compliance matter?

PCI compliance protects your organization from data breaches, helping to strengthen your reputation. Non-compliance may leave you vulnerable to a costly data breach, which could harm your credibility. It may also lead to substantial fines and even the loss of credit card partners.

"There's a strong business case for complying with PCI DSS," says Strickler. "It exists to protect cardholder data. When you're not compliant, you're more likely to incur a data breach, driving customers away from your business."

Strickler highlights the 2013 Target breach as a key example. "Hackers breached Target's network through a third-party vendor by exploiting vulnerabilities. They captured card data during transactions, leading to financial losses and identity theft for victims. Target's reputation took a substantial hit, and the company faced huge losses and widespread criticism. More thorough compliance with PCI DSS controls could have prevented or mitigated the impact of this event."

Here are more details on why PCI compliance is worth it: 

  • Protects your company from major breaches
    A 2018 Ponemon Institute study found that 59% of companies experienced a data breach caused by a third party or vendor, like the Target breach. Small businesses (like Level 3 and 4 merchants) are particularly vulnerable. According to the National Cyber Security Alliance, 60% of small to mid-sized businesses go out of business within six months after a cybersecurity attack that could have been prevented with proper security measures like PCI DSS. 
  • Helps improve customer loyalty
    Following a data breach, consumer loyalty declines significantly, with long-term repercussions. The Ponemon Institute's 2017 study found that 31% of consumers ceased their relationship with a breached business. Additionally, PwC's Consumer Intelligence Series found that 85% of consumers avoid companies with questionable security practices. These statistics highlight the importance of complying with standards like PCI DSS to maintain robust data security practices and demonstrate a commitment to protecting payment information.
  • Avoid fines and maintain partnerships with major card companies
    Non-compliant organizations face significant financial penalties, ranging from $5,000 to $100,000 per month until they reach compliance. Prolonged non-compliance can also lead to major credit card companies refusing to do business with you, causing significant business disruptions.

How to make PCI certification easier

Strike Graph's compliance management software makes PCI certification easy. That’s because it doesn’t use the traditional one-size-fits-all approach. It tailors solutions to your organization’s unique and diverse compliance needs to ensure you’re 100% compliant across any standard —from PCI DSS to SOC 2, ISO, and beyond. 

When it comes to compliance management software, nothing can match Strike Graph’s flexible and comprehensive compliance solutions. It meets your organization where it's at, ensuring a perfect match every time. With Strike Graph, you can use one piece of evidence for any compliance framework, whether it's ensuring you’re PCI DSS compliant or working with SOC 2, ISO, or another standard.

Plus, Strike Graph easily integrates with other software, letting you upload evidence from various sources without any hassle. And don't worry about staying compliant — we've got you covered. Our PCI compliance experts can check your evidence regularly, making sure you're always up to date. With Strike Graph, compliance is a breeze.

 

Video Transcript

Justin: So you mentioned the concept of tier, and so this probably gets into like, how is an audit or an assessment conducted for PCI DSS. This is one of my top three questions for any standard we come across. How do they specify the testing? Tell us a little bit about what you've learned about that.

Sam: Sure, absolutely. So for organizations, or merchants is what they call it in PCI, similar as if you were to call a service provider, it's still a merchant, even if they're not the one storing the credit card information. So there's four different levels. And so level one is the highest risk. So those are your large global, those are your PayPals, your WhatsApp, any of the ones that are actually storing and processing themselves. So level one is the riskiest. And so this is any merchant that has over 6 million Visa transactions.

Justin: So I'm going to describe companies that I think fall into this bucket. If you're a FinTech organization, and you are trying to connect, let's say you're billing a FinTech platform, a processing platform, and you want to connect a bunch of merchants to a bank, i.e Let's say you are Stripe. This is the highest level of compliance. You need to do this level one level of compliance. Is that right?

Sam: Absolutely.

Justin: Okay. Great. All right. Who's our level twos.

Sam: Yeah. So the level twos are from 1 million to 6 million transactions. And so then your level three is your 20,000 transactions to 1 million. And then you have your level four finally, which is the least riskiest, and it's under 20,000 transactions.

Justin: Okay. So let's see if I can pick out some examples of these. A level two would be, to me might be, either an early FinTech platform, that wants to do a lot of processing, but hasn't quite gotten big enough, or a mature B2C organization that is processing a lot of credit card information.

Sam: Correct. For the one that's processing a lot of credit card information. And so has over 6 million transactions, would be the level one.

Justin: At the level. So then even you can go too far and wind up in level one, if you're a B2C organization and you're really big.

Sam: Correct. Yep. And so it's kind of crazy because I actually was a little bit shocked that it really does come down to the transactions. It doesn't even matter who's storing it, versus maybe who's processing it, or who's transmitting it, which is probably the least riskiest, but they're all part of the same bucket that they have to, they're all held to a similar standard.

Justin: I see.

Sam: Of course, I will admit that the organizations storing it, are holding even more elevated, or elevated risk, or high risk. It's just, they have more controls in what they have to assess.

Justin: Well, and this is like the experience breach. Where it's like millions and millions and millions of people's private information gets exposed because they're storing a ton of data on them, especially probably the credit card information, what credit cards they have, and things like that. So they're not even necessarily processing a ton of transactions, they just have so many people in their database.

Sam: Exactly.

Justin: So break it down for me a little bit. Level one, level two, level three, level four, four being probably the easiest assessment level one being the toughest assessment or the hardest set of requirements. Do all of them require an independent assessor?

Sam: No. So only level one is required to have a Qualified Security Assessor or a QSA, or an Internal Security Assessor ISA, which is not as common. You typically get a QSA. And so that's your third party, typically CPA firm, but it could be other organizations as long as they're QSA, but they're the ones that have to validate your scope, perform the assessment. They're the ones that have to send the assessment, and send not only the report on compliance, but actually send that, basically the opinion on that compliance report to the bank. So they're the ones that are in charge of sending it on your behalf, on the organization’s behalf.

Justin: You don't even get... You're just like, "Hey, I've worked with this third party. They're the QSA. They have done the assessment to us to level one, Hey, third party, will you send this new customer, this bank, this partner, that report." You can't even originate from your email?

Sam: No. And on top of that, a third party, so the QSA firm, should get a confirmation of compliance, acceptance. So that's one thing that the organization should confirm with a third party. I've seen it before where in my previous life at audit firms, I just remember this, sometimes they wouldn't submit it even when they completed it. And so you can see that it was delayed, and what if they just never confirm? So I would just make sure that, that is your responsibility as an organization to at least confirm with that third party that you hired.

Justin: So two, three and four don't require an independent assessor. Does that mean a self-assessment, or an internal audit, or outsourced internal audit would suffice?

Sam: Yes. So you're exactly right. So levels two through four. So the least riskiest or least under the umbrella. So really depending on what type of services, what type of company they are, there is what's called a self assessment questionnaire. And so all they have to do is confirm that they are compliant for, in case if the bank does come and investigate. And then the level two is different than all the other levels, because it operates similarly to level one. However, it's not required to have a third party perform that report on compliance, so your audit report. They can actually perform that, but they have to send that to bank.

Justin: Okay. I see. Is there any benefit, let's say that you are a FinTech company, you want to help, we call them trust assets of course. Is there any benefit in that way us being like, not only are we stating we're compliant, we did this self assessment, but we actually got assessed and got a report from a reputable auditor on this. It seems to me that might be an effective marketing tool.

Sam: Absolutely. Because as we know, just like SOC 2, in a SOC 2 world, similarly in financial institutions or insurance, a lot of them are getting questionnaires as is. So if they really want to one, no longer answer those questionnaires and then two, accelerate their sales process, then if they have this report, they can just send that directly to their prospects. And you'll cover it.