Blog

The Many Levels of PCI Compliance, and How to Determine Which One You Need

Published November 6th, 2017 by Servistree

Do you know what level of PCI compliance your business falls under?

The different levels of PCI compliance are determined mainly by the number of card transactions your company processes per year. There are four different levels, with level four having the most relaxed requirements and level one being the most strict. Each level has specific requirements for proving your compliance with the PCI DSS.

If you fail to meet the requirements for your company’s level, the card issuing companies can move you to a stricter compliance level, regardless of the amount of transactions you process.  This means you’ll need to abide by even stricter requirements in order to continue processing credit cards.

Figuring out what level you fall into, and what you’ll need to do in order to be compliant, is really not a complicated process. Below are the four PCI compliance levels and the requirements that must be met for each of them. All you’ll need to do is total up the number of transactions your company processes each year.

Level 1 – Companies that process more than 6 million transactions per year.

Level 2 – Companies that process between 1 million and 6 million transactions per year.

Level 3 – Companies that process between 20,000 and 1 million transactions per year.

Level 4 – Companies that process less than 20,000 transactions per year.

For level 1, the requirements are as follows:

  • Conduct regular network scans by an approved scanning vendor (ASV).
  • Submit an annual compliance report by a qualified security assessor.
  • Complete and submit an attestation of compliance.

For levels 2, 3 and 4, requirements are below:

  • Conduct regular network scans by an approved scanning vendor.
  • Complete an annual self assessment questionnaire.
  • Complete and submit an attestation of compliance.

The major difference between the levels is that the largest companies, at level 1, must have an annual compliance report from a qualified security assessor, while companies on other levels are entrusted to fill out a self assessment questionnaire. The complexity and detail of the self assessment questionnaire also varies by compliance level and is highest at level 2, and lowest at level 4.

For the vast majority of businesses out there, all of this means you will need to fill out a PCI DSS self assessment questionnaire each year, and have quarterly network security scans done by an approved scanning vendor.

It is important to note that the determining factors for each level can vary somewhat between credit card companies. You should check with the individual card issuers for specific guidelines. You can find more information at the following links:

If you have any questions about determining your PCI compliance level, setting up PCI compliant payment processing, or anything else regarding payment processing, please contact us at 1-866-944-3244. We’ll happy to answer any questions you have.


‹ Back