What Are PCI Compliance Levels?
PCI (Payment Card Industry) compliance levels categorize merchants based on their volume of credit card transactions per year. The PCI Security Standards Council establishes these criteria to prevent fraud. Depending on the number of transactions, companies must adhere to different security measures. This classification ensures that merchants implement necessary safeguards commensurate with the risks involved in processing transactions.
This is part of a series of articles about PCI compliant hosting.
The 4 PCI Compliance Levels in Detail
PCI Level 1 Compliance: Global Retailers and Enterprises
Level 1 PCI compliance is mandatory for large enterprises processing over 6 million credit card transactions annually. These organizations face significant risks due to their transaction volumes, requiring stringent security measures. To achieve Level 1 compliance, businesses must conduct an annual on-site assessment by a Qualified Security Assessor (QSA). They must also perform a network scan by an Approved Scanning Vendor (ASV) each quarter.
This compliance level focuses on thorough protection against data breaches. Companies at this level typically have complex infrastructure, necessitating detailed security controls. This includes encryption, secure processing environments, and security policies. Continuous monitoring and regular assessments ensure these practices are maintained, reducing the risk of data loss.
PCI Level 2 Compliance: Regional and Mid-Sized Enterprises
PCI Level 2 compliance targets businesses processing between 1 and 6 million transactions annually. While the transaction volume is lower than Level 1, these entities still face considerable risks. Companies must complete a Self-Assessment Questionnaire (SAQ) annually and conduct quarterly network scans. This helps them identify and mitigate potential vulnerabilities in their systems.
Similar to Level 1, compliance involves maintaining stringent security protocols, although the audit process might be less intensive. Focus areas include maintaining a secure network and implementing access control measures. By fulfilling these requirements, mid-sized enterprises can significantly reduce the risk of data breaches.
PCI Level 3 Compliance: Medium-Sized Businesses
Level 3 compliance is suited for businesses processing 20,000 to 1 million transactions annually, typically involving e-commerce operations but also relevant to any business handling that number of transactions online. These enterprises must complete an annual Self-Assessment Questionnaire (SAQ) and conduct quarterly network scans to identify vulnerabilities. Such measures help safeguard sensitive cardholder information within their payment systems and reduce exposure to cyber threats.
Network security and secure transaction processing are core components under Level 3 requirements. By adhering to PCI DSS requirements, businesses can prevent unauthorized access and data disclosure.
PCI Level 4 Compliance: Small and Local Businesses
PCI Level 4 compliance is for businesses processing fewer than 20,000 transactions annually. This level addresses the unique security needs of small and local businesses. Although the transaction volume is lower, these entities must still take steps to ensure data security. Completing annual Self-Assessment Questionnaires (SAQs) and undertaking quarterly scans are crucial components in this process.
While the requirements may not be as stringent, maintaining compliance is essential for protecting customer data from vulnerabilities. Level 4 businesses must implement basic security measures such as firewall configurations and secure access controls.
PCI DSS Levels for Service Providers
Service providers play a critical role in the payment processing ecosystem, and their compliance is just as important. PCI DSS levels for service providers are defined differently from merchant levels.
Level 1 Service Provider
Level 1 service providers process over 300,000 card transactions annually. These providers must undergo an annual on-site audit by a Qualified Security Assessor (QSA). Additionally, they are required to conduct network scans by an Approved Scanning Vendor (ASV) quarterly. This rigorous process ensures that all systems are properly secured and vulnerabilities are addressed immediately.
Level 2 Service Provider
Level 2 service providers handle less than 300,000 transactions annually. They are required to perform an annual Self-Assessment Questionnaire (SAQ) to evaluate their security practices. Additionally, quarterly network scans are critical components in the compliance process.
PCI Evaluations by Compliance Level
The following table explains the different evaluations required for PCI Compliance and which evaluations are relevant for each compliance level.
| Evaluation | Description | Merchant L1 | Merchant L2 | Merchant L3 | Merchant L4 | SP L1 | SP L2 |
| QSA (Qualified Security Assessor) | An independent external audit conducted by a PCI-approved security assessor to ensure compliance with PCI DSS standards. | v | v | ||||
| ASV (Approved Scanning Vendor) | A vulnerability scan performed quarterly by a PCI-approved vendor to identify potential weaknesses in the network infrastructure. | v | v | v | v | v | |
| SAQ (Self-Assessment Questionnaire) | A self-assessment that merchants and service providers complete annually to evaluate their security controls and adherence to PCI DSS requirements. | v | v | v |
How to Determine Your PCI DSS Compliance Level
Determining your PCI DSS compliance level involves assessing the volume of payment card transactions your organization processes annually. The process typically includes the following steps:
- Calculate annual transaction volume: Start by calculating the total number of credit card transactions your business processes in a year. This includes all transactions, whether they are online, in-store, or through any other sales channel.
- Identify merchant or service provider status: Determine whether your business is classified as a merchant or a service provider. Merchants are entities that accept payment cards as a form of payment, while service providers manage transactions on behalf of merchants or other service providers.
- Match transaction volume to PCI compliance level: Compare your annual transaction volume to the thresholds set by the PCI Security Standards Council:
- Level 1: More than 6 million transactions annually.
- Level 2: Between 1 and 6 million transactions annually.
- Level 3: Between 20,000 and 1 million e-commerce transactions annually.
- Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million transactions across other channels annually.
- Review compliance requirements: Once your compliance level is determined, review the specific PCI DSS requirements for that level. This will include understanding the required documentation, security controls, and assessment procedures such as whether you need an on-site audit or a Self-Assessment Questionnaire (SAQ).
- Regularly reevaluate: Transaction volumes can change, especially as your business grows. It’s important to regularly reevaluate your PCI compliance level and adjust your security practices accordingly to stay compliant.
PCI Hosting Services and Solutions by Atlantic.Net
PCI Hosting by Atlantic.Net™ is SOC 2 and SOC 3 certified, designed to secure and protect critical health data, audited by a qualified and an independent third-party CPA firm. If your company requires PCI-DSS compliance (Payment Card Industry Data Security Standard), Atlantic.Net’s managed security and compliance hosting services coupled with our Cloud Platform and Dedicated Hosting will provide you the easy button to help achieve and exceed your credit card industry PCI compliance requirements!
With our expanded network capacity and hardened data centers, your business will be able to achieve the uptime and cyber-security requirements for PCI compliance. You can meet your customers’ needs and accept online payments while maintaining PCI compliance and reducing your overall cost. Gain the competitive advantage you need with ease with our PCI-Compliant Hosting, backed by a 100% SLA.
