A Beginner’s Guide to PCI DSS Merchant Levels

Estimated reading time: 5 minutes

Data breaches and theft happen to businesses of all sizes. From Fortune 500 companies to small business operations, data theft is occurring in alarming numbers. Microsoft suffered a data breach in 2020 that revealed 280 million customer records, and the company has some of the world’s best security measures.

PCI compliance aims to help businesses protect against data breaches.

If you don’t know about PCI DSS merchant levels or PCI DSS levels for service providers, our beginner’s guide will walk you through the levels of PCI compliance.

What is PCI DSS Compliance?

PCI compliance comes from the Payment Card Industry Security Standard Council. The Council consists of multiple members, each from the world’s most popular credit card brands. However, each brand has its own compliance levels.

The following brands have their own compliance levels:

  • Visa, Discover and MasterCard all follow the same compliance requirements.
  • American Express and JCB follow their own requirements.

PCI DSS levels for service providers can be confusing, but there are four primary levels of compliance to consider and understand.

Understanding the 4 PCI DSS Merchant Levels

Every business that does one of the following must follow PCI compliance:

  • Processes credit card data
  • Transmits credit card data
  • Stores credit card data

Dataset size, or the number of transactions that your business makes, will dictate which of the four compliance levels your business is within.

PCI DSS Level 1

The highest compliance falls into the Level 1 category. If you’re required to meet this level of compliance, you’ll fall into one of the following categories:

  • Process 6+ million transactions
  • Suffered a data breach

PCI DSS Level 2

Level 2 is for merchants that have higher volumes of transactions across all of their sales channels. When volumes are between 1 and 6 million, the merchant falls within PCI DSS Level 2 requirements.

PCI DSS Level 3

Level 3 compliance is for businesses that have up to 1 million e-commerce transactions annually.

PCI DSS Level 4

If you’re a small business that processes the following, you’ll need to meet Level 4 compliance:

  • 20,000 or fewer e-commerce transactions
  • Up to 1 million regular transactions

What It Means to Be PCI Compliant

Compliance is most difficult for PCI DSS level 1, and your business will be required to have an external auditor perform a complete audit of your organization. The auditor must be either an Internal Security Assessor or a Quality Security Assessor.

The auditor will:

  • Review your business’s technical information and documentation
  • Ensure PCI DSS requirements are met
  • Offer support and guidance

All compensating controls will be reviewed, and if the auditor believes the organization is compliant, they’ll submit a Report of Compliance (RoC) to demonstrate compliance to credit-issuing companies.

While a Level 2 company must also complete an RoC, the assessment is done by the organization rather than an outside auditor.

For companies that are PCI DSS level 3 or 4, an external audit is waived. Instead, you’ll be required to fill out a self-assessment questionnaire. Depending on the type of business you conduct and the types of transactions you process, you may be required to fill out several different self-assessment questionnaires.

For example, you’ll need to file an SAQ C-VT if you process data through a virtual terminal.

Quarterly approved scanning vendor scans can help your small business remain compliant with PCI DSS requirements and better protect the data of your customers and clients.

Example of Requirements and Security Standards Under PCI DSS 3.2.1

Compliance standards are all about protecting the cardholder’s data so that fraud doesn’t occur. Since more businesses accept credit cards and offer e-commerce solutions than ever before, it’s crucial to remain compliant to lower the risk of data theft and breaches.

A few of the main requirements that must be met under DSS 3.2.1 include:

  1. Install and maintain firewall protection. Firewall protection is required to maintain control of the traffic allowed inside and outside an organization’s network. The requirements are outlined in great detail in the guide outlined below.
  2. Do not use default system passwords and security measures. A common security issue when setting systems up is leaving the default security measures and passwords in place. You’re required to change these defaults to make it more challenging for a hacker to gain access to cardholder data.
  3. Protect cardholder data. If data is stored on your system, it’s crucial to protect it using current security measures, such as encryption.
  4. Encrypt data. Cardholder data must be encrypted on all public and open networks so that it cannot be accessed even if it is involved in a data breach.
  5. Protect against malware. Systems and programs must be updated regularly to help protect against malware and other threats.
  6. Maintain and develop secure systems. Additionally, applications and systems must be properly maintained and developed to maintain the highest level of security possible.
  7. Restrict card data. The card data of a customer must be restricted with proper access controls so that only individuals that must have access to the data can access it properly.
  8. Restrict physical access. Physical access to cardholder data should be further restricted.
  9. Authenticate access. When attempting to access system components, you must identify and authenticate this access.
  10. Track and monitor. Systems across the network should be tracked and monitored at all times.
  11. Testing. Security measures and processes need to be regularly tested to ensure they’re functioning properly.
  12. Security policies. Businesses that accept credit cards must also maintain internal security policies that manage personnel information security.

If you want a more thorough explanation of compliance and a quick start guide, there is one available through the creators of PCI compliance here. The Quick Reference Guide will allow you to get up and running with compliance as quickly as possible.

It’s crucial to know that credit card companies have the authority to upgrade the compliance level of your business at their discretion. For example, if you’re operating in an industry with high levels of chargebacks or fraud, you may be required to move up to PCI DSS level 1.

Picture of Christian Woodward

Christian Woodward

Job Title, Author

Customer focused

If we can't beat your current rates, we'll give you $500!*

We happily accept merchants processing any amount. Price guarantee for merchants processing $10,000 or more per month. Free terminals and other promotions depend on processing volume, credit and qualifications.

Customer focused

If we can't beat your current rates, we'll give you $500!*

We happily accept merchants processing any amount. Price guarantee for merchants processing $10,000 or more per month. Free terminals and other promotions depend on processing volume, credit and qualifications.