Comprehensive Guide to the Four Levels of PCI Compliance

Comprehensive Guide to the Four Levels of PCI Compliance

PCI DSS (Payment Card Industry Data Security Standard) is a global security framework that defines technical and operational requirements to protect credit card and cardholder data and the levels of PCI compliance. It applies to all entities that store, process, or transmit cardholder information. PCI DSS was developed by the PCI Security Standards Council (PCI SSC) – a body founded by major card brands (Visa, Mastercard, American Express, Discover, and JCB) – and is updated periodically to address emerging threats. Each card brand enforces PCI DSS compliance for its transactions.

Although PCI DSS is not a law, payment processors and acquiring banks require merchants and service providers to meet these standards as part of their agreements. Compliance helps prevent data breaches and fraud, protecting consumer data and the business’s reputation.

In March 2022, the PCI SSC released version 4.0 of the standard, replacing v3.2.1. As of April 1, 2024, PCI DSS v4.0 took effect, and v3.2.1 was retired. A minor revision (PCI DSS v4.0.1) was published on June 11, 2024, to clarify requirements (with no new controls). In total, PCI DSS v4.x introduced 64 new requirements (beyond those in v3.2.1); 13 of these became mandatory on April 1, 2024, and the remaining 51 are “future-dated” and will be required by March 31, 2025. The PCI SSC advises organizations to plan early to adopt these new controls.

In practical terms, this means that by April 2025, all merchants and service providers must fully comply with the updated PCI DSS requirements, including stronger authentication, enhanced monitoring, and more flexible compliance methods. For example, PCI DSS 4.0 requires multi-factor authentication for all access into the cardholder data environment (with some flexibility for “phishing-resistant” methods) and mandates quarterly external vulnerability scanning for all merchants with internet-connected payment systems. Overall, the latest PCI DSS version shifts focus to continuous security and risk management.

Understanding the Four Levels of PCI Compliance

43

Merchants are grouped into four PCI compliance levels based on annual transaction volume (typically the number of Visa/Mastercard credit/debit/prepaid transactions, though each brand’s program may vary slightly).

The levels determine what validation steps are required each year. (Service providers – companies that process or store card data on behalf of merchants – have a similar two-tier structure, generally Level 1 for >300,000 transactions, but this guide focuses on merchants.) The merchant levels are defined as follows (per Mastercard’s official guidance):

  • Level 1: Over 6 million card transactions per year (across all channels), or any merchant that has had an Account Data Compromise (ADC), such as a breach. Typically large retailers and global businesses.
  • Level 2: Between 1 million and 6 million transactions per year. Usually, medium-sized businesses.
  • Level 3: Between 20,000 and 1 million e-commerce transactions per year. (This counts explicitly online card-not-present sales.)
  • Level 4: Fewer than 20,000 e-commerce transactions per year, and all other merchants up to 1 million total transactions. Generally, small retailers and local businesses.

Each payment brand may have nuances (for example, JCB treats all >20,000 transactions as Level 2, and any breach can elevate a merchant to Level 1). Still, these thresholds are widely accepted as a guideline. In practice, your acquiring bank or processor will classify your merchant level based on the prior year’s total volume and notify you. If unsure, merchants should tally their annual volume across all cards and channels and ask their acquirer which PCI level applies.

Validation Requirements by Levels

Each level has different validation requirements:

  • Level 1: Requires an annual on-site audit by a PCI-qualified security assessor (QSA) or certified internal security assessor, with a full Report on Compliance (ROC). The merchant must also complete a PCI Attestation of Compliance (AOC) form. In addition, Level 1 merchants must perform quarterly external vulnerability scans (by an Approved Scanning Vendor, ASV) and annual internal/external penetration tests to confirm security (as required by PCI DSS).
  • Level 2: Typically completes an annual Self-Assessment Questionnaire (SAQ) (often SAQ D for merchants). As an alternative, some Level 2 merchants may choose or be required by their acquirer to have a QSA perform an on-site assessment instead of the SAQ. Quarterly ASV scanning is also required for all Level 2 merchants.
  • Level 3: Fulfills PCI DSS via an annual SAQ (commonly SAQ C or D for e-commerce merchants). Quarterly external scans by an ASV are required. Level 3 merchants may optionally engage a QSA for a full audit, but it is not mandated.
  • Level 4: Typically completes an annual SAQ (for example, SAQ A if all payment processing is outsourced). An on-site audit is not required but can be done at the merchant’s discretion. Many Level 4 merchants do not have frequent scans if they have no internet-facing systems; however, if card data systems are online, the acquiring bank will usually require quarterly ASV scans. Level 4 merchants should consult their acquirer about the exact validation needed.

In all cases, merchants must comply with the core 12 PCI DSS requirements (see below) regardless of level. The main difference is how compliance is validated: Level 1 demands a formal audit and report, whereas Levels 2-4 rely on self-assessments (SAQs) and scans.

Note that any merchant (any level) that suffers a security breach may be pushed to Level 1 by the card brands, triggering the strictest validation (annual audit) to remediate trust.

Key PCI DSS Requirements

44

PCI DSS defines 12 main requirements (with sub-requirements) for protecting cardholder data. These cover areas such as network security, encryption, access controls, monitoring, and policies. In summary, PCI DSS requires merchants to:

  • Build and maintain a secure network: Install and configure firewalls to protect card data. Do not use vendor-supplied defaults for system passwords or security parameters.
  • Protect cardholder data: Encrypt or truncate stored PANs (Primary Account Numbers), and mask or hash them when displayed. Minimize retention of stored data.
  • Encrypt transmission of cardholder data: Use strong cryptography whenever card data is sent over open or public networks.
  • Use and regularly update anti-virus/anti-malware software: Protect all systems against malware and keep signatures up to date.
  • Maintain secure systems and applications: Install security patches promptly (v4.0 now clarifies that only critical vulnerabilities must be patched within 30 days), and only use safe, supported software.
  • Restrict access to cardholder data by business need-to-know: Grant data access only to those employees whose jobs require it.
  • Identify and authenticate access: Assign a unique ID to each person with computer access to card data, and require strong authentication for all users. (PCI DSS 4.0 also requires multi-factor authentication for any access into the cardholder data environment, though phish-resistant methods may substitute in some cases.)
  • Control physical access: Physically secure any media or devices that contain cardholder data (e.g. locked cabinets, access logs, video surveillance).
  • Track and monitor access: Log and regularly review all access to network resources and card data (Requirement 10). Maintain audit trails of user activities.
  • Regularly test security systems: Perform internal and external vulnerability scans at least quarterly, and annual internal/external penetration tests. (PCI DSS v4.0 also adds new testing of segmentation controls and requirement “11.3.2” scans for e-commerce merchants using SAQ A.)
  • Maintain an information security policy: Establish, maintain, and disseminate a security policy that addresses information security for employees and contractors.

These requirements remain largely the same in PCI DSS 4.x, but version 4.0 strengthens some controls. For example, v4.0 requires multi-factor authentication for all access into the cardholder data environment (expanding on the old rule that only administrators needed MFA).

It also introduces a new “customized approach” allowing organizations to meet some objectives by alternative methods, emphasizing continuous monitoring and risk analysis rather than point-in-time compliance. Overall, v4.x places a heavier emphasis on evolving threats (e.g. phishing, scripting attacks on payment pages) and on organizations taking ownership of security processes (defining roles and responsibilities for each requirement).

Maintaining PCI DSS Compliance

45

Maintaining PCI DSS compliance is an ongoing commitment that ensures the security of cardholder data and protects your business from fraud and fines. Below, we’ll cover how to validate your compliance, define and, if needed, segment your Cardholder Data Environment, implement essential security controls, and seek the proper assistance and resources to keep your payment systems secure year‑round.

1. Validation:

Merchants must validate their PCI compliance on an annual or quarterly basis, depending on their level. Level 2-4 merchants typically complete the appropriate Self‑Assessment Questionnaire (SAQ) – a detailed checklist of applicable PCI requirements – and submit it to their acquirer or card brand. Level 1 merchants (and any Level 2s that choose an audit) instead undergo an on‑site review by a PCI Qualified Security Assessor, who produces a Report on Compliance (ROC); the merchant then signs an Attestation of Compliance (AOC) summarizing their status.

Regardless of level, any merchant with external network connections must perform quarterly vulnerability scans through an Approved Scanning Vendor; Levels 1-3 must remediate critical findings and supply passing reports (and, under PCI DSS v4.0, specific online-only merchants using third-party checkouts may also fall under this requirement).

In addition, internal and external penetration tests are mandated at least once a year, with segmentation controls themselves tested if network segmentation is used to reduce PCI scope. Finally, merchants need to keep comprehensive documentation – network diagrams, policies, training records, AOCs, scan reports, and other evidence of compliance – on file to demonstrate and support their ongoing adherence.

2. Scope and Segmentation:

Define the Cardholder Data Environment (CDE) clearly – only systems that store, process, or transmit card data (or connect to them) are in scope. Proper network segmentation (e.g., isolating payment systems from the rest of the network) can shrink the scope of PCI DSS. However, segmentation itself must be tested and documented.

3. Security Controls:

In practice, maintaining compliance means implementing strong security controls continuously. This includes using encryption (point-to-point encryption or tokenization to reduce scope), enforcing strong password policies (e.g., minimum 12-character passwords as per v4.0), applying system patches promptly, using up-to-date anti-malware, and employing network monitoring/IDS.

Organizations should also enforce least-privilege access and require regular security training for staff. Many merchants use security automation and continuous monitoring tools to help sustain PCI controls year-round.

4. Assistance:

Smaller merchants often hire consultants or QSAs to help meet PCI DSS requirements. The PCI SSC provides resources (SAQ instructions, Prioritized Approach tool, PCI Security Essentials education) to guide implementation. Some acquiring banks also offer guidance or solutions (e.g., hosting point-of-sale systems in PCI-compliant environments) to assist merchants.

In rare cases, payment brands may subsidize compliance costs for small merchants, but generally, the merchant bears the expense of technology upgrades, training, and audits needed to comply.

Costs and Consequences of Compliance vs. Non-Compliance

The expense of PCI compliance varies widely. A small Level 4 merchant might spend a few thousand dollars per year on compliance (covering quarterly scans, basic security software, and perhaps consulting help). Larger merchants face much higher costs, audits, extensive network upgrades, dedicated security staff, and advanced monitoring tools that can run into tens or hundreds of thousands per year.

Key cost factors include business size, transaction volume, IT environment complexity, chosen security technologies, and the availability of in-house staff to manage PCI tasks. For example, investing in tokenization or a PCI-validated point-to-point encryption (P2PE) solution can reduce scope and lower some costs in the long run, but requires upfront expenses. Because the 12 PCI requirements are detailed and technical, many organizations find they need to hire experienced security personnel or consultants to achieve and maintain compliance.

Non-Compliance Penalties

Failing to comply with PCI DSS can be very costly. Card brands impose financial penalties on merchants (usually through the acquiring bank) for non-compliance or after a breach. According to Visa policy, issuers or acquirers may incur non-compliance assessments if their merchants fail to meet PCI standards.

In practice, industry reports indicate penalties can range from $5,000 to $100,000 per month of detected non-compliance (depending on scale and duration) and up to $500,000 or more per incident if a breach occurs under non-compliance. Beyond fines, non-compliance can lead to higher processing fees, suspension of merchant accounts, or even outright termination of the merchant’s ability to accept cards.

A data breach under non-compliance multiplies costs: the merchant may be liable for fraud losses and costs of reissuing payment cards. It must comply with breach notification laws (notifying customers in writing), often providing credit monitoring. Legal liabilities and loss of consumer trust are hard to quantify but can severely damage a business.

Conclusion

Navigating PCI DSS compliance is essential for any business handling card payments. The four merchant levels (based on annual transaction volume) determine the rigor of the validation process, from self-assessment questionnaires to third-party audits. In all cases, merchants must satisfy the 12 PCI DSS requirements and perform ongoing security tasks (scans, testing, logging, etc.).

The recent update to PCI DSS (version 4.0.1) raises the bar even higher with new requirements and stricter authentication rules, so organizations should take advantage of the 2024 transition period to strengthen their controls. Maintaining PCI compliance not only avoids heavy fines and penalties, but, more importantly, ensures that customers’ sensitive payment data stays secure.

Frequently Asked Questions

  1. How are the four PCI DSS merchant levels defined?

    The four merchant levels are based on annual transaction volume: Level 1 for over 6 million transactions, Level 2 for 1-6 million, Level 3 for 20,000-1 million e‑commerce transactions, and Level 4 for fewer than 20,000 online or up to 1 million total transactions.

  2. What validation steps are required for each PCI level?

    Level 1 merchants must undergo an annual on‑site audit by a QSA with a Report on Compliance and Attestation of Compliance, plus quarterly ASV scans and annual penetration tests. Levels 2-4 generally complete a Self‑Assessment Questionnaire and quarterly ASV scans, though some Level 2s may opt for a QSA audit.

  3. Can a data breach change my PCI compliance level?

    Yes – any merchant that suffers an Account Data Compromise (e.g., a breach) is elevated to Level 1 by the card brands and must complete the strictest validation, including an on‑site QSA audit.

  4. When did PCI DSS v4.0 take effect, and what’s the compliance timeline?

    PCI DSS v4.0 was published in March 2022, with v3.2.1 retired on 31 March 2024, making v4.0 the active standard. A limited revision, v4.0.1, was released in June 2024, and all future‑dated requirements must be implemented by 31 March 2025.

  5. What are the significant new requirements introduced in PCI DSS v4.0?

    Version 4.0 introduces 64 new requirements, comprising 13 immediately effective and 51 future-dated ones. These include mandatory multi-factor authentication for all access to the Cardholder Data Environment, enhanced monitoring and penetration testing, and a “customized approach” that emphasizes continuous risk management.