The Ultimate Guide to PCI Compliance Levels

Tokenization for PCI compliance leves

Merchants and other entities that rely on card payments to run their businesses are all too familiar with the compliance burden of satisfying regulatory obligations. From international regulations such as the Payment Services Directive 2 (PSD2) to industry requirements such as the Payment Card Industry Data Security Standard (PCI DSS), there is no shortage of mandates to meet or boxes to check to remain in the good graces of these guidelines, which is essential in order to avoid fines and other penalties for noncompliance. The primary pain point here is the difficulty of identifying, tracking, and containing the massive volume of payment card information (PCI) organizations ingest without hindering existing business processes or hemorrhaging funds on expensive additions to internal systems. Even then, once the sensitive data is contained, organizations must decide how to secure it properly to meet additional compliance obligations. No simple task, to say the least.

Fortunately, the Payment Card Industry Security Standards Council (PCI SSC), which was founded by the five major card brands to better regulate the payment card industry, recognizes that the transaction volume and potential for misuse is much different for the Targets and Sonys of the world compared to your average mom-and-pop shops. Thus, the compliance obligations for these organizations should be adjusted accordingly. This line of thinking inspired the formation of the PCI compliance levels for merchants under the PCI DSS. These levels reflect the relative size and revenue of relevant organizations, resulting in compliance tiers that create a sort of sliding scale of requirements based on those organizations’ needs and operations. Below, we’ve created an outline of these PCI levels to help you understand where your organization currently resides and what compliance obligations it has as a result. 

PCI Levels

The PCI SSC—whose membership consists of American Express, Discover, JCB, Mastercard, and Visa—regulates the handling of cardholder data (CHD) and other sensitive payment card information. These regulations, the PCI DSS, apply to any organization or entity that processes, stores, or transmits CHD. Although many of the requirements comprising the PCI DSS are applied and enforced in the same fashion across the board, the PCI SSC does not necessarily administer a one-size-fits-all approach to compliance. Instead, because organizations operate differently depending on their size, merchants are broken out into four PCI compliance levels based on the volume of their transactions. Each level brings with it different requirements for compliance and potential penalties if compliance is not met. 

It’s also important to note that some card companies will escalate your PCI compliance level if you suffer a breach or are otherwise found noncompliant. So just because you might have a higher level of compliance doesn’t mean QSAs, auditors, or the PCI SSC will be any more lenient with your organization than they would be with others.

PCI Compliance Levels for merchants

What is PCI Level 1 Compliance?

PCI DSS Level 1 applies to merchants that process more than 6 million card transactions per year. Organizations within this level must complete a quarterly network scan by an approved scanning vendor (ASV), an attestation of compliance (AOC), and an annual report on compliance (ROC), which is a yearly audit conducted by a qualified security assessor (QSA) or internal auditor.

What is PCI Level 2 Compliance?

PCI DSS Level 2 applies to merchants that process 1-6 million transactions per year. Organizations within this level must complete an annual SAQ, an annual AOC, and a quarterly network scan by an ASV.

What is PCI Level 3 Compliance?

PCI DSS Level 3 applies to merchants that process 20,000 to 1 million transactions per year. Organizations within this level must complete an annual SAQ, an annual AOC, and a quarterly network scan by an ASV.

What is PCI Level 4 Compliance?

PCI DSS Level 4 applies to merchants that process less than 20,000 transactions per year. Organizations within this level must complete an annual SAQ, an annual AOC, and a quarterly network scan by an ASV, if applicable. Additionally, PCI compliance level 4 organizations are required to use only qualified integrators and resellers (QIR) for the installation, integration, and servicing of point-of-sale (POS) applications and/or terminals.


For a full breakdown of the PCI DSS, check out our PCI Controls ebook.

Get your free ebook

PCI Compliance Levels: Additional Goals and Requirements

Regardless of an organization’s PCI compliance level, it must adhere to the six security goals and 12 requirements (and their applicable sub-requirements) of the PCI DSS. These function as the international security standard for organizations that wish to process, store, or accept cardholder data from the five major card brands. To remain PCI compliant, these baseline rules must be followed, with significant fines and other penalties for noncompliance. The PCI DSS requirements are summarized below.

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update antivirus software or programs
  • Develop and maintain secure systems and applications

Implement Strong Access-Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel

Tokenization for PCI Compliance

Regardless of your organization’s PCI compliance level, TokenEx can help you secure and desensitize cardholder data via cloud-based tokenization, which reduces the scope of PCI compliance and virtually eliminates the risk of data theft. By using tokenization to deidentify payment card information before it enters your organization’s cardholder data environment (CDE) or other internal systems, you can simplify the compliance process and minimize its cost. And because CHD never enters your environment, a breach of your systems will expose no payment card information—only placeholder tokens that cannot be reversed.

For more information about how TokenEx can help organizations secure payments and achieve PCI compliance, check out our PCI Compliance  and Payment solutions pages.


Sources: PCI SSC Quick Reference Guide and Visa’s PCI Merchant Levels

Topic(s): payments , PCI DSS