The 4 PCI Compliance Levels Explained

What Are the PCI Compliance Levels?

All service providers and merchants that store, transmit, or process credit card information have to adhere to the PCI DSS. However, they don’t all have to follow an identical route to PCI compliance. 

The degree of risk an organization is met with varies according to several factors. Given this, the PCI Security Standards Council created two PCI compliance levels that apply to service providers and four for merchants. The level an organization is delegated to varies according to:    

• The number of credit card transactions processed every year, and
• If the organization has experienced a cyberattack or breach leading to compromised cardholder or credit card information

PCI Compliance Concepts and Resources

The PCI Security Standards Council (SSC) was set up with the goal of enhancing data security for payment card information. It is an organization that provides frameworks, tools, measurement, and support resources to help organizations ensure the security of cardholder information. 

PCI DSS is a standard created by the SSC, providing the framework for a complete payment card data security process, including security incident prevention, detection, and appropriate response.

Tools and resources provided by PCI SSC include:

• Written resources including the List of Qualified Security Assessors (QSAs), Payment Application Certified Security Assessor (PA-QSA), and Approved Scan Vendors (ASV)
• Self Assessment Questionnaires (SAQ) organizations can use to assess their compliance readiness and report to the PCI SSC authority
• Security requirements for PIN transaction devices, with specific security instructions for each type of device
• The PA-DSS and verified payment applications

Related content: PCI DSS Requirements

What Are the 4 PCI Compliance Levels?

PCI compliance levels are based on the amount of transactions. A transaction is defined as any of the following, regardless of geographical region:

• Credit card-based transaction
• No card transaction
• Ecommerce transaction

PCI DSS Compliance Level 1

Applies to: Merchants that process more than 6 million card transactions annually—for example, large retailers operating in multiple countries.

Level 1 requires merchants to use a third-party auditor. External audits are performed by qualified security assessors (QSAs). This type of auditor must be approved by the PCI SSC to conduct a thorough on-site review of the organization’s practices to ensure compliance.

The QSA defines the scope of the audit, reviews the organization’s written records and data storage, and determines PCI compliance. The auditor then details the findings in a Report on Compliance (ROC).

Related content: PCI Audit: Requirements and 5 Steps to Prepare for Your Audit

Additional requirements for Level 1 merchants include:

• Quarterly network scan – these scans are a type of minor audit, and are performed by approved scanning vendors (ASVs). Network scans can be performed remotely, and are not as detailed as full annual assessments.
• Attestation of Compliance form – this is an opportunity to explain the organization’s compliance efforts to the PCI SSC authority. Unlike external audits, the Attestation of Compliance is written and submitted by internal staff.

PCI DSS Compliance Level 2

Applies to: Organizations that process between 1 and 6 million transactions per year. For example, a small to medium enterprise (SME) operating in active trade areas or across state or provincial lines.

PCI DSS Level 2 merchants must submit a Report of Compliance (ROC), but it is performed by internal evaluation, not an external audit. The internal evaluation is guided by the Self Assessment Questionnaire (SAQ) provided by the PCI SSC.

While a Level 2 merchant does not need to involve a QSA, they still need to demonstrate they have implemented all PCI compliance guidelines. Like Level 1 merchants, they must:

• Perform quarterly network scans performed by ASVs
• Submit an Attestation of Compliance.

PCI DSS Compliance Level 3

Applies to: Merchants that process between 20,000 and 1 million transactions each year. For example, small-to-medium businesses operating in a local area.

PCI DSS Level 3 merchants do not need to perform an external audit, and do not need to submit a Report of Compliance (ROC). However, they may do so voluntarily to improve their standing with customers or ensure their cardholder data is secure.

Apart from that, they face the same requirements as Level 2 merchants:

• Annual Self-Assessment Questionnaire
• Quarterly scan of the network performed via an ASV
• Attestation of Compliance (AOC)

PCI DSS Compliance Level 4

Applies to: Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1 million Visa transactions per year. For example, a small local business.

Unlike higher levels of PCI compliance, PCI DSS Level 4 merchants do not require audits, do not submit ROC, and may not need AOC forms.

Organizations at this level are mainly faced with meeting the PCI requirements of their bank. Their requirements typically include:

• Using only Qualified Integrators and Resellers (QIRs) to install, integrate, and service point-of-sale (POS) equipment and applications

• Perform an annual Self Assessment Questionnaire (SAQ)
• Perform quarterly network scans with an ASV

PCI DSS Levels for Service Providers

If you don’t possess a merchant ID, and if you do not rely on a PCI DSS approved payment processor, what are your options?

Here how the PCI SSC defines a service provider:  

Business entity that is not classified as a payment brand, involved in the transmission, storage, or processing of cardholder information. This also means companies that give services that can impact or control the security of cardholder information. 

Here are the two levels for service providers. They are categorized according to the amount of transactions that they process: 

• Level 1 – more than 300 thousand transactions annually
• Level 2 – fewer than 300 thousand transactions annually

If your organization functions as a service provider (irrespective of your level) you might wish to think about the merit of fulfilling a PCI Level 1 Audit, also called a PCI ROC. This should be completed via a QSA, which will authorize the status of your organization’s PCI compliance, and if you have done all the steps needed to be PCI compliant. 

If you meet all the requirements you will be issued an AOC that you can show to anyone wishing to verify your PCI Compliance position.  

For service providers that don’t process 300 thousand transactions, you could complete SAQ-D (this is the SAQ that service providers can complete according to the PCI SSC).

How To Pass Your PCI DSS Audit

For Level 1 merchants, preparing a Report of Compliance (ROC) requires an on-site audit from an external Qualified Security Assessor (QSA). 

For Level 2 merchants, the ROC is prepared by an internal security assessor. It can take up to two years to complete an audit, because the PCI DSS standard includes 12 objectives and 281 guidelines. A self-assessment is faster, but can still take up to a year depending on resources and the ability to gather reports and risk status for your network and applications.

An audit includes a large number of evaluations and tests including:

• Testing an organization’s control over its cardholder data environment (CDE) and POS equipment
• Evaluating access controls, including physical access
• Evaluating the level of security of IT suppliers
• Checking the effectiveness of network segmentation
• Identifying applications that process payment information
• Evaluating if, where, and how card information is stored
• Ensuring data encryption is in place

This is a partial list of the most common evaluations. Fortunately, PCI DSS is very standardized, and clearly indicates what must be done to follow each instruction. When preparing for an audit or self-assessment, you can speed up the process and reduce costs by following these steps:

1. Define the scope – identify which guidelines are relevant for your organization and which evaluations are relevant for each department or system within the organization.
2. Minimize scope – an easy way to reduce your scope is to set up a firewall around the CDE, which isolates it and limits the PCI investigation to systems behind the firewall.
3. Determine how PCI DSS requirement is met – prepare a risk assessment document, identify risks of non-compliance, and apply necessary control measures to remediate them.
4. Test your controls – do this before and after your annual audit or evaluation. PCI DSS compliance is an ongoing process and requires vigilance at all times.
5. Evidence gathering – all audits require complete documentation of your processes, controls, and security measures. Prepare them in advance to save time.

PCI Compliance with Exabeam

Exabeam Fusion SIEM, a cloud-delivered solution, combines conventional SIEM log management with an outcome-based approach through prescriptive workflows and pre-packaged, threat-specific content to solve threat detection, investigation, and response (TDIR) faster. Pre-built integrations with hundreds of 3rd-party security tools combines weak signals from other products with normal behavior pattern history to find threats missed by other tools. Automation of triage, investigation, and response activities from a single, centralized control plane turbocharges analyst productivity and reduces response times.

Exabeam Fusion SIEM: Comprehensive Compliance Logging for PCI DSS Compliance

Fusion SIEM contains predefined PCI DSS compliance reports such as “Failed VPN Logins” and “Remote Session Timeouts,” making it easy to show compliance to auditors. Exabeam Cloud Archive can retain up to ten years of online searchable data, meeting retention requirements for internal compliance stakeholders and external auditors.

Automated, Fast Threat Detection

Rapid threat detection is a key PCI DSS requirement. Exabeam continuously baselines the normal behavior of all users and entities on the network, combining input from endpoint detection and response (EDR) tools, network detection and response tools (NDR), cloud security tools, identity and access management solutions, and more. Deviations from normal behavior — whether by end user or service accounts — and file or suspicious server and cloud access is flagged and assigned a risk score. All incidents and alerts across the network are automatically organized into timelines that provide context for security teams to investigate and take decisive action. As a result, analysts can quickly detect insider threats, compromised accounts, data loss, and more.

PCI DSS emphasizes continuous account monitoring—especially for privileged users and third-party vendors with special access — and Exabeam supports that mission. Fusion SIEM helps SOC analysts quickly and accurately identify risky activity related to financial reporting no matter where it occurs. Exabeam ingests log data across disparate domains (e.g., cloud, database, email, application) and assembles it into a coherent activity chain to improve analyst visibility. Regarding the detection of data tampering specifically, Exabeam has built-in file monitoring models that track every file-related action—including initial access, attaching data to an email, downloading, or even writing to a USB drive.

See Exabeam in action: Request a demo