A guide to the PCI DSS compliance levels

The PCI DSS (Payment Card Industry Data Security Standard) contains a set of requirements to help organisations prevent payment data breaches and payment card fraud.

But did you know that the same requirements don’t apply universally? In fact, there are several PCI compliance levels, which are determined by the number of transactions the organisation handles each year.

The higher the level, the more rigorous an organisation must be in implementing defences and auditing their compliance practices.

Each of the five payment card brands (American Express, Discover, JCB, Mastercard and Visa) has its own programme for compliance, including its own thresholds for the levels of PCI DSS compliance. However, in general, the levels look like this:

  • Level 1: Merchants that process over 6 million card transactions annually.
  • Level 2: Merchants that process 1 to 6 million transactions annually.
  • Level 3: Merchants that process 20,000 to 1 million transactions annually.
  • Level 4: Merchants that process fewer than 20,000 transactions annually.

There are also other factors that affect an organisation’s compliance level. For example, those that have recently suffered a cyber attack or that otherwise pose an information security risk might be elevated to a higher level.

Version 4.0 of the PCI DSS was published on 31 March 2022, which further changes organisations’ compliance requirement. Although the current version (3.2.1) remains valid until March 2024, organisations that are subject to the PCI DSS should prepare for the update as soon as possible.

Let’s take a look at how each of PCI DSS’s levels affect your approach to compliance.

Achieving PCI DSS compliance

The PCI DSS consists of a standardised, industry-wide set of requirements and processes for various security controls, ensuring that payment card and cardholder data are protected.

There are 6 control objectives, which are split into 12 requirements (and these are further divided into hundreds of sub-requirements).

The objective of the PCI DSS is to ensure that card payments are subject to appropriate protections – and the first step to achieving that is to complete an assessment (the specifics vary based on your level), a quarterly network scan and the Attestation of Compliance Form.

For Level 1 organisations, the assessment should consist of an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They’ll perform an on-site evaluation of your organisation to:

  • Validate the scope of the assessment;
  • Review your documentation and technical information;
  • Determine whether the PCI DSS’s requirements are being met;
  • Provide support and guidance during the compliance process; and
  • Evaluate compensating controls.

The auditor will then submit an RoC (Report on Compliance) to the organisation’s acquiring banks to demonstrate its compliance.

Organisations in PCI Levels 2-4 can complete an self-assessment questionnaire (SAQ) instead of an external audit. Level 2 organisations must also complete an RoC.

You can find out more about this process by reading PCI Audit Success in Nine Essential Steps.

This green paper help organisations to prepare for a PCI audit and ensure a successful outcome.

It contains:

  • Nine essential tips to prepare for a successful RoC audit;
  • A checklist of what the auditor will be looking out for on the day;
  • Invaluable tips to avoid unnecessary delays and frustrations;
  • Advice on identifying non-conformities before the audit takes place; and
  • Guidance on how to choose the right QSA.
Get started

Self-assessment questionnaire

In most other cases, organisations outside Level 1 can achieve compliance with an SAQ (self-assessment questionnaire).

There are different types of SAQ, which apply depending on the organisation’s merchant level and the way it process payment card information:

  • SAQ A: For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce transactions and mail/telephone order merchants.
  • SAQ A-EP: For e-commerce merchants that outsource their payment processing but not the administration of the website that links to it.
  • SAQ B: For e-commerce merchants that don’t receive cardholder data but control the method of redirecting data to a third-party payment processor.
  • SAQ B-IP: For merchants that don’t store cardholder data in electronic form but use IP-connected point-of-interaction devices. These merchants may handle either card-present or card-not-present transactions.
  • SAQ C-VT: For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
  • SAQ C: For merchants with payment application systems connected to the Internet (no electronic cardholder data storage).
  • SAQ D: For all other merchants not included in SAQ types A–C.
  • SAQ P2PE: For merchants that use point-to-point encryption. It’s therefore not applicable to organisations that deal in e-commerce.

It’s essential that you select the right SAQ because each one has compliance requirements based on the ways payment card data is processed.

PCI DSS compliance made easy

For those looking for help completing their PCI DSS compliance requirements, IT Governance is here to help.

Our PCI DSS Documentation Toolkit contains everything you need to complete the project, including template documents and a document checker to ensure you select and amend the appropriate records.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.

It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organisation.

Get started

A version of this blog was originally published on 23 January 2020.

Related Posts

About The Author

Luke Irwin

Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

6 Comments

  1. Barnes James 29th July 2020

    A well explained blogging, it detailed about the PCI DSS and basic requirements to set up which will help many companies to safeguard themselves from payment card fraud. Thanks for providing information on PCI DSS courses which will give complete information on the subjects. Many companies can take this opportunity and avoid fraudulent.

    Reply
  2. David Gribble 16th June 2021

    What if you are the program manager of a general purpose reloadable prepiad card program. You do not accept card payments but instead work with a qualified prepaid card processor to register and activate new card accounts for consumers. Do you follow the same transaction rules as a merchant, only substituting number of accounts on file instead of number of transactions processed?

    Reply
  3. Shika 22nd July 2021

    Nice Article!!!
    Thank you for sharing this article which is really interesting to know about PCI DSS Compliance levels.

    Reply
  4. Megha Verma 21st March 2022

    Great Read. Do I have to fulfill PCI DSS requirements if I only take credit card information by phone?

    Reply
    • Luke Irwin 22nd March 2022

      If you process payment card transactions, the PCI DSS applies. It doesn’t matter how you obtain the information (by phone, in person, etc.).

      Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.