All-in-one Risk Management Platform

4 PCI DSS Compliance Levels

There are four levels of compliance under the Payment Card Industry ​​Data Security Standard that organizations need to know. Let’s walk through each of those now.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

4 PCI DSS Compliance Levels

Is your company collecting, using, storing, processing, or transmitting payment cardholder data? If that's the case, you've probably heard of PCI DSS, or Payment Card Industry Data Security Standard. The PCI DSS is a standard, developed by major credit card companies, that establishes particular rules for merchants and service providers to follow in order to safeguard payment cardholder data.

This is a tough criterion to meet, and guaranteeing PCI compliance is no easy effort, especially as the framework applies to businesses of different sizes and processing capacities. Within the PCI DSS (Payment Card Industry ​​Data Security Standard), there are four levels of standards for PCI compliance.

In this article, we’ll break down how these four compliance levels work, who they apply to, and how to meet PCI compliance within your organization. 

Understanding the 4 PCI DSS Compliance Levels

What is PCI DSS? 

The Payment Card Industry Data Security Standard (also known as PCI DSS) is a collection of security guidelines meant to guarantee that ALL businesses who accept, handle, store, or transmit credit card data do so in a safe manner.

On September 7th, 2006, the Payment Card Industry Security Standards Council (PCI SSC) was formed to oversee the continued advancement of the Payment Card Industry (commonly known as PCI) security standards, with an emphasis on strengthening payment account security throughout the transaction process. The PCI DSS is overseen and controlled by the PCI SSC, a non-profit organization founded by major credit card companies such as Visa and MasterCard. It's vital to highlight that it's the payment brands and acquirers, not the PCI council, who are in charge of ensuring compliance.

What are the 4 levels of PCI Compliance? 

PCI DSS applies to all enterprises that receive, transmit, or retain credit card data, regardless of their company size. PCI compliance is divided into four tiers, each of which is assessed by the number of Visa transactions a merchant executes within a given year:

  • Merchant Level One - Any merchant processing more than six million Visa transactions per year, as well as any merchant determined by Visa to be at risk to the Visa system, must fulfill the Level One merchant standards.
  • Merchant Level Two - Any retailer handling one million to six million Visa transactions each year.
  • Merchant Level Three - Any merchant conducting 20,000 to one million Visa e-commerce transactions per year qualifies for this level.
  • Merchant Level Four - Any merchant who processes fewer than 20,000 Visa e-commerce transactions per year and all other merchants who conduct between 20,000 and one million Visa transactions per year.

Based on Visa transaction volume over a twelve-month period, all merchants will be assigned to one of four merchant tiers. The total number of Visa transactions, including credit, debit, and prepaid, from a merchant Doing Business As (also known as "DBA") is used to calculate transaction volume. Visa acquirers must evaluate the aggregate amount of transactions stored, processed, or sent by the corporate entity when determining the validation level when a merchant company has more than one DBA. If data isn't aggregated, meaning a corporate entity doesn't store, process, or send cardholder data on behalf of several DBAs, acquirers will continue to base their validation level on the DBA's individual transaction volume.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

How do these 4 levels impact compliance?

Various degrees of compliance have different requirements. Any company that comes under Level One must have an internal auditor conduct an annual on-site inspection and a network scan performed by an approved scanning provider. Businesses in Levels Two, Three, and Four must complete the PCI DSS Self-Assessment Questionnaire once a year and conduct quarterly network security checks with an approved scanning provider. The PCI website features this evaluation questionnaire.

Meeting PCI Compliance

Are you wondering how to meet compliance for the PCI DSS? If so, you have many options. We recommend implementing these tips and best practices into your existing compliance plan, regardless of the PCI DSS level your organization is at:

  • Maintain a Vulnerability Management Program by utilizing anti-virus software and updating it on a regular basis.
  • Secure systems and applications must be developed and maintained at all levels of the company.
  • Implement effective access control measures by limiting cardholder data access to just those who have a business need-to-know. Each individual who has access to the computer should be given a unique ID.
  • If at all feasible, limit physical access to cardholder data.
  • On-premises network monitoring and testing should be done on a regular basis. All-access to network resources and cardholder data should be tracked and monitored. It's also a good idea to test security systems and processes on a frequent basis.
  • Always have an Information Protection Policy in place that covers the security of data for both workers and contractors.
  • Purchase and utilize only approved PIN input devices, as well as verified payment software, at your point-of-sale and on your internet shopping cart.
  • Do not store sensitive cardholder data on computers or on paper for any reason.
  • Ensure that your organization's wireless router is password-protected and employs encryption.
  • To secure cardholder data, establish and maintain a firewall setup.
  • For system passwords and other security settings, do not utilize vendor-supplied defaults.
  • Encrypt the transfer of cardholder data across open, public networks to protect stored cardholder data.
  • Check PIN entry devices and PCs on a regular basis to ensure that no malicious software or "skimming" devices have been installed.
  • Teach your personnel about security and cardholder data protection, and provide them with frequent training.

In general, we would recommend working with a risk and compliance company like Accountable HQ to streamline your compliance processes and ensure everything is done correctly. PCI DSS compliance can be complex, so it’s best to trust the professionals.

Like what you see?  Learn more below

There are four levels of compliance under the Payment Card Industry ​​Data Security Standard that organizations need to know. Let’s walk through each of those now.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)