Find which PCI compliance level applies to your company.

PCI compliance levels are determined by the number of transactions your organization processes with each credit card company per year.

If you are unfamiliar with PCI compliance or have never heard of PCI merchant compliance levels at all, odds are you fall into the category with the loosest requirements. You may need to start looking to the enhanced standards at higher levels as your organization grows.

PCI Compliance Scanning Services

PCI Compliance Levels - The Basics

Lets clear up the most common misconception with regard to PCI compliance, "I process credit card transactions online but I don't need to worry about PCI compliance yet." If you process credit cards, you fall into one of the PCI merchant compliance levels, shown below. Two reasons that we hear are that a merchant does not store credit card data, or that they don't process enough transactions to worry about PCI standards. These ideas are both 100% wrong.

Requirements by Merchant Level

If you are new to PCI compliance and find merchant levels confusing, that is because they are. As the chart above shows, qualifications vary from one provider to the next. The requirements, however, are standard across the board. For the purpose of explaining levels, we'll use a few generalizations that try to fit everyone into the qualifications that make the most sense across the board.

PCI Compliance Level 4

Especially if you are new to PCI or getting a new website started, chances are that this is you. If you are processing less than 20,000 transactions of each card type, a bit more for American Express, you only have to worry about the bare essentials. First, you need to sign up for quarterly security scanning through an Approved Scanning Vendor (ASV). Second, you need to complete your self-assessment questionnaire (SAQ).

The only difference between level 4 and level 3 companies is that your credit card processors will not verify whether or not you are meeting the Data Security Standard (DSS) requirements if you are a level 4 organization. That means the responsibility, and the liability, falls squarely upon your shoulders.

PCI Compliance Level 3

This is another of the levels that applies to a huge number of medium size companies out there. Once you hit the threshhold of 20,000-50,000 transactions, but before you hit the one million transaction level, you are still required to sign up for quarterly scanning and complete your SAQ. The difference is that now you need to have that information validated when it is submitted to the payment processors.

PCI Compliance Level 2

Companies that process over a million transactions per year are required to do everything they were doing before a million transactions, only now the staff that performs the self-assessment must attend and pass a yearly training and accreditation for PCI SSC ISA if they want to keep using the option of self-assessment for PCI compliance validation.

If your company meets the Level 2 requirements for American Express (50 thousand to 2.5 million transactions per year), your SAQ must be certified by the CEO, CFO, CIO, CISO, or other principal.

Level 2 organizations can opt, instead, to have their assessment performed on site by a Qualified Security Assessor.

PCI Compliance Level 1

Once your organization has met the level 1 merchant compliance requirements, all assessments must be performed on site by a Qualified Security Assessor.