A Guide to PCI Compliance Levels

Posted: April, 06, 2021 10:11AM ET • 2 min read

As a vendor processes more debit and credit card transactions, their compliance with Payment Card Industry (PCI) requirements become more stringent to protect your data security. These compliance levels range from Level 4 for enterprises that process relatively few transactions up to the highest compliance rating, Level 1, for those enterprises that process the most transactions and therefore have the greatest responsibility to protect your data.

The PCI Security Standards Council (PCI SSC) produces a variety of Self-Assessment Questionnaires (SAQs) to help enterprises of all sizes determine whether or not they are compliant with the requirements applicable to them. Many enterprises are further required to submit to a PCI security scan performed by an Approved Scanning Vendor (ASV) approved by the PCI SSC that consists of vulnerability scans or penetration testing, as appropriate.

Level 4

Merchants that process fewer than 20,000 e-commerce or fewer than one million real-world transactions annually are required to submit the relevant SAQs on a yearly basis, with the possibility of undergoing a quarterly PCI scan.

Level 3

For merchants processing between 20,000 and 1 million e-commerce transactions annually, they too must submit the SAQs relevant to their level on a yearly basis and may be subject to quarterly PCI scans.

Level 2

Merchants processing between 1 and 6 million real-world debit and credit card transactions annually must also submit yearly SAQs relevant to their environment and may be subject to quarterly PCI scans.

Level 1

For those merchants that process more than 6 million real-world debit and credit card transactions annually, they must undergo an internal audit, conducted by an authorized PCI auditor, on a yearly basis. In addition, they submit to vulnerability scans and penetration tests on a quarterly basis by an Approved Scanning Vendor in order to retain their Level 1 Compliance.

What does Level 1 Compliance Mean For Me?

A vendor that is able to achieve and maintain Level 1 PCI Compliance not only follows the most stringent security protocols in the industry but processes enough transactions to have the greatest experience in navigating existing and emerging payment security infrastructure.

Share Article:

Featured Articles

Joe Ritacca
Vice President, IT and Research & Development

As Vice President of Precise ParkLink’s Research and Development department and as the head of Precise ParkLink’s Project Management Office, Joe leads a team of systems engineers and software developers, guiding the development of creative solutions. The innovations and integrations he and his team develop let Precise ParkLink offer something truly unique in the Canadian marketplace — a fully turnkey parking technology and management solution. Having studied business administration and computer science at Ryerson University, and with over 25 years of parking industry experience, Joe is ideally suited to his role building teams that can conceptualize solutions and drive change on clients’ behalf.