Whether a business runs ten credit cards or 10 million, PCI DSS rules will apply. Explore the different levels and requirements for PCI merchants and service providers. Also, learn about the newest v4.0 changes and get expert tips on how to prepare.
PCI DSS, or the Payment Card Industry Data Security Standard, categorizes businesses into compliance levels. The company’s number of transactions determines its level. Merchants have four possible levels, while service providers have only two.
“The PCI DSS compliance framework exists to maintain the integrity of credit card transactions and protect sensitive cardholder data,” says Michelle Strickler, Information Security and Data Privacy Compliance Strategist at Strike Graph. Strickler is a passionate advocate for a risk-based approach to IT compliance and has over 15 years of experience in governance, risk, and compliance.
Caption: Michelle Strickler, Information Security and Data Privacy Compliance Strategist
PCI DSS classifies compliance requirements based on the volume of credit card transactions processed annually by organizations. The PCI Security Standards Council (PCI SSC) establishes these levels to ensure that an organization's scale matches its level of compliance.
For example, larger entities inherently face greater risks, as a breach could impact more individuals than a breach at a smaller organization. Consequently, larger organizations must implement more rigorous measures to safeguard cardholder data and adhere to PCI DSS requirements. Every organization that needs to adhere to PCI requirements is also subject to a PCI audit at any time.
Caption: Stephen Ferrell, CISA, CRISC, and Chief Strategy Officer
Whatever your level, every organization must adhere to 12 core PCI DSS requirements. "The compliance framework remains consistent; it's the controls and evidence that vary with each level," explains Ferrell.
Many PCI requirements overlap with other standards, like SOC 2, but it is important to engage with a compliance expert to understand your specific needs.
Overall, the structured PCI DSS approach ensures that all entities, regardless of size, can safeguard cardholder data and maintain trust with their customers and partners.
Key takeaways:
PCI DISS distinguishes between “merchants” and “service providers.” Merchants are businesses that accept credit cards for a product or service. Service providers process, transmit, or store card information on behalf of merchants. Organizations can fall into both categories.
According to PCI DSS guidelines, organizations must determine whether they are a “merchant” or a “service provider.” This distinction can be confusing for many.
“There are three types of entities who need to engage with PCI DSS requirements,” says Ferrell. “Merchants, service providers, and organizations who play both roles. A merchant is an entity that sells services or products and accepts credit card payments. In contrast, a service provider processes or stores this information on behalf of a merchant.”
Ferrell gives this example: “A web domain provider like GoDaddy functions as both a merchant and a service provider. They accept credit card payments for their services (merchant) and can also provide e-commerce solutions that handle payment transactions for other merchants (service provider).”
Caption: Greig Robertson, Senior Advising Consultant at Compliance Path
PCI DSS classifies merchants into four levels according to their annual credit card transaction volume. Service providers fall into one of two levels, considering their transaction volume and significance within the payment ecosystem.
PCI DSS Level 1 merchants are large national or international organizations that handle over six million transactions annually. They face the toughest standards. They need a qualified security advisor to conduct an on-site assessment and adhere to stringent protocols.
Here's an in-depth look at Level 1 merchants, including qualification criteria, requirements, and examples:
Given the substantial transaction volumes, Level 1 merchants are typically large companies with a national or international presence. Here are two examples:
Level 2 merchants process one to six million credit card transactions annually. They are significant retailers but not as high-volume as Level 1 merchants. Level 2 merchants complete an annual self-assessment, quarterly network scans, and an annual attestation of compliance.
"Level 2 merchants are typically mid-sized retailers processing between one and six million transactions," explains Robertson. "While they face stringent requirements, they aren't as extensive as Level 1 standards. One key distinction is that Level 2 merchants can complete a self-assessment questionnaire, whereas Level 1 merchants need to enlist a QSA to fill out a report on compliance and conduct an on-site assessment.”
Here's an in-depth look at Level 2 merchants, including qualification criteria, requirements, and examples:
Get peace of mind and streamline your path to PCI DSS compliance with our free, downloadable PCI DSS Compliance Starter Kit that includes templates, workflows, and checklists for helping with PCI DSS compliance.
It’s your essential toolkit that includes:
Level 3 merchants process between 20,000 and one million credit card transactions annually. They have similar requirements to a Level 2 merchant: They must complete a self-assessment questionnaire, conduct quarterly network scans, and more. They’re usually e-commerce stores.
"Level 2 and Level 3 merchants don't differ significantly in core security standards," explains Robertson. "The primary difference is transaction volume and the inherent increase in security complexity that comes with more transaction volume. Level 2 merchants, with higher volumes, might face a greater risk profile and more complex systems, potentially requiring more extensive efforts to demonstrate compliance."
Here's an in-depth look at Level 3 merchants, including qualification criteria, requirements, and examples:
A PCI DSS Level 4 merchant processes fewer than 20,000 e-commerce transactions annually or handles up to 1 million total Visa transactions. These merchants face the least stringent requirements and are often small local businesses or online shops.
"Level 4 merchants are your local retailers or small online shops that don’t handle too many transactions," describes Ferrell. "A lot of these retailers may not even be aware of PCI DSS because many of them use third-party providers like PayPal or Stripe to handle their transactions. Still, they technically need to comply with Level 4 requirements.”
Here's an in-depth look at Level 4 merchants, including qualification criteria, requirements, and examples:
Most Level 4 merchants are small e-commerce websites that process a small volume of transactions or small, brick-and-mortar stores that also handle less than 20,000 transactions or fewer than 1 million combined e-commerce and in-person transactions for Visa.
PCI DSS Level 1 applies to service providers that handle 300,000 credit card transactions or more annually. These providers face the most rigorous standards, such as an on-site assessment, quarterly network scans, and more. Many large payment processing apps or other payment gateways are Level 1 service providers.
“In general, PCI DSS requirements for service providers are more comprehensive than even Level 1 merchants,” says Ferrell. “That’s because service providers have the potential to impact the payment card ecosystem more broadly because they handle transactions for multiple merchants across many industries. They also have access to more sensitive cardholder data, meaning a breach could compromise data from numerous businesses.”
Here's an overview of the PCI DSS Service Provider Level 1, including criteria and major requirements.
A PCI DSS Level 2 service provider handles fewer than 300,000 credit card transactions per year on behalf of merchants. Although Level 2 is the least rigorous service provider level, it still includes stringent requirements, like quarterly network scans and an annual self-assessment questionnaire.
Here's an overview of the PCI DSS Service Provider Level 2, including criteria and major requirements:
PCI compliance requirements are updated every three years to keep pace with evolving threats and technology. PCI DSS v4.0 introduces several changes. First, it offers new, flexible ways for entities to demonstrate compliance. It also introduces updated security requirements, especially for multi-factor authentication.
The PCI Security Standards Council (PCI SSC) published the updated PCI DSS v4.0 standards in March 2022. While companies must adhere to certain mandates beginning in March 2024, they have until March 2025 to comply with most changes.
Here's a high-level overview of the major changes in PCI DSS 4.0.
While the 12 core PCI requirements remain the same, the intent and content of some sub-requirements have been updated to address evolving threats and technological changes. You can learn more about the 12 core requirements and sub-requirements in our new PCI DSS v4.0 requirements article.
Discover answers to common questions about PCI DSS compliance levels. Learn how to determine your validation level and explore why PCI compliance matters. Our experts address these and other key questions to help you better understand PCI DSS requirements.
To validate your PCI compliance level, submit your self-assessment questionnaire or report on compliance to your acquiring bank or credit card payment brand. They’ll require additional evidence of compliance. Partnering with leading compliance software and experts can help ensure you're fully compliant.
Maintaining PCI compliance begins by identifying your merchant or service provider status and level. Level 1 entities face the most stringent requirements. Research your level's specific requirements and consult a compliance expert to ensure you’re meeting PCI DSS standards.
PCI compliance protects your organization from data breaches, helping to strengthen your reputation. Non-compliance may leave you vulnerable to a costly data breach, which could harm your credibility. It may also lead to substantial fines and even the loss of credit card partners.
"There's a strong business case for complying with PCI DSS," says Strickler. "It exists to protect cardholder data. When you're not compliant, you're more likely to incur a data breach, driving customers away from your business."
Strickler highlights the 2013 Target breach as a key example. "Hackers breached Target's network through a third-party vendor by exploiting vulnerabilities. They captured card data during transactions, leading to financial losses and identity theft for victims. Target's reputation took a substantial hit, and the company faced huge losses and widespread criticism. More thorough compliance with PCI DSS controls could have prevented or mitigated the impact of this event."
Here are more details on why PCI compliance is worth it:
Strike Graph's compliance management software makes PCI certification easy. That’s because it doesn’t use the traditional one-size-fits-all approach. It tailors solutions to your organization’s unique and diverse compliance needs to ensure you’re 100% compliant across any standard —from PCI DSS to SOC 2, ISO, and beyond.
When it comes to compliance management software, nothing can match Strike Graph’s flexible and comprehensive compliance solutions. It meets your organization where it's at, ensuring a perfect match every time. With Strike Graph, you can use one piece of evidence for any compliance framework, whether it's ensuring you’re PCI DSS compliant or working with SOC 2, ISO, or another standard.
Plus, Strike Graph easily integrates with other software, letting you upload evidence from various sources without any hassle. And don't worry about staying compliant — we've got you covered. Our PCI compliance experts can check your evidence regularly, making sure you're always up to date. With Strike Graph, compliance is a breeze.
Video Transcript
Justin: So you mentioned the concept of tier, and so this probably gets into like, how is an audit or an assessment conducted for PCI DSS. This is one of my top three questions for any standard we come across. How do they specify the testing? Tell us a little bit about what you've learned about that.
Sam: Sure, absolutely. So for organizations, or merchants is what they call it in PCI, similar as if you were to call a service provider, it's still a merchant, even if they're not the one storing the credit card information. So there's four different levels. And so level one is the highest risk. So those are your large global, those are your PayPals, your WhatsApp, any of the ones that are actually storing and processing themselves. So level one is the riskiest. And so this is any merchant that has over 6 million Visa transactions.
Justin: So I'm going to describe companies that I think fall into this bucket. If you're a FinTech organization, and you are trying to connect, let's say you're billing a FinTech platform, a processing platform, and you want to connect a bunch of merchants to a bank, i.e Let's say you are Stripe. This is the highest level of compliance. You need to do this level one level of compliance. Is that right?
Sam: Absolutely.
Justin: Okay. Great. All right. Who's our level twos.
Sam: Yeah. So the level twos are from 1 million to 6 million transactions. And so then your level three is your 20,000 transactions to 1 million. And then you have your level four finally, which is the least riskiest, and it's under 20,000 transactions.
Justin: Okay. So let's see if I can pick out some examples of these. A level two would be, to me might be, either an early FinTech platform, that wants to do a lot of processing, but hasn't quite gotten big enough, or a mature B2C organization that is processing a lot of credit card information.
Sam: Correct. For the one that's processing a lot of credit card information. And so has over 6 million transactions, would be the level one.
Justin: At the level. So then even you can go too far and wind up in level one, if you're a B2C organization and you're really big.
Sam: Correct. Yep. And so it's kind of crazy because I actually was a little bit shocked that it really does come down to the transactions. It doesn't even matter who's storing it, versus maybe who's processing it, or who's transmitting it, which is probably the least riskiest, but they're all part of the same bucket that they have to, they're all held to a similar standard.
Justin: I see.
Sam: Of course, I will admit that the organizations storing it, are holding even more elevated, or elevated risk, or high risk. It's just, they have more controls in what they have to assess.
Justin: Well, and this is like the experience breach. Where it's like millions and millions and millions of people's private information gets exposed because they're storing a ton of data on them, especially probably the credit card information, what credit cards they have, and things like that. So they're not even necessarily processing a ton of transactions, they just have so many people in their database.
Sam: Exactly.
Justin: So break it down for me a little bit. Level one, level two, level three, level four, four being probably the easiest assessment level one being the toughest assessment or the hardest set of requirements. Do all of them require an independent assessor?
Sam: No. So only level one is required to have a Qualified Security Assessor or a QSA, or an Internal Security Assessor ISA, which is not as common. You typically get a QSA. And so that's your third party, typically CPA firm, but it could be other organizations as long as they're QSA, but they're the ones that have to validate your scope, perform the assessment. They're the ones that have to send the assessment, and send not only the report on compliance, but actually send that, basically the opinion on that compliance report to the bank. So they're the ones that are in charge of sending it on your behalf, on the organization’s behalf.
Justin: You don't even get... You're just like, "Hey, I've worked with this third party. They're the QSA. They have done the assessment to us to level one, Hey, third party, will you send this new customer, this bank, this partner, that report." You can't even originate from your email?
Sam: No. And on top of that, a third party, so the QSA firm, should get a confirmation of compliance, acceptance. So that's one thing that the organization should confirm with a third party. I've seen it before where in my previous life at audit firms, I just remember this, sometimes they wouldn't submit it even when they completed it. And so you can see that it was delayed, and what if they just never confirm? So I would just make sure that, that is your responsibility as an organization to at least confirm with that third party that you hired.
Justin: So two, three and four don't require an independent assessor. Does that mean a self-assessment, or an internal audit, or outsourced internal audit would suffice?
Sam: Yes. So you're exactly right. So levels two through four. So the least riskiest or least under the umbrella. So really depending on what type of services, what type of company they are, there is what's called a self assessment questionnaire. And so all they have to do is confirm that they are compliant for, in case if the bank does come and investigate. And then the level two is different than all the other levels, because it operates similarly to level one. However, it's not required to have a third party perform that report on compliance, so your audit report. They can actually perform that, but they have to send that to bank.
Justin: Okay. I see. Is there any benefit, let's say that you are a FinTech company, you want to help, we call them trust assets of course. Is there any benefit in that way us being like, not only are we stating we're compliant, we did this self assessment, but we actually got assessed and got a report from a reputable auditor on this. It seems to me that might be an effective marketing tool.
Sam: Absolutely. Because as we know, just like SOC 2, in a SOC 2 world, similarly in financial institutions or insurance, a lot of them are getting questionnaires as is. So if they really want to one, no longer answer those questionnaires and then two, accelerate their sales process, then if they have this report, they can just send that directly to their prospects. And you'll cover it.