What are the four levels of PCI DSS compliance?

All companies that process credit card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). It defines four levels of PCI compliance that are determined by the volume and type of credit card transactions processed by a merchant.

Based on their PCI DSS merchant level, companies need to take different actions to demonstrate compliance and protect cardholder data.

PCI DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC), a global forum of industry stakeholders. The Council was formed by American Express, Discover, JCB International, MasterCard, and MasterCard on September 7, 2006, to manage and supply information supporting PCI DSS.

Documentation demonstrating compliance is sent to the Council when necessary.

In this post, we’ll review:

What are PCI merchant levels?
An example of PCI levels
How do PCI levels affect compliance validation and reporting?
How data loss prevention enhances PCI DSS compliance
Deploying a modern DLP solution
Frequently asked questions

What are PCI merchant levels?

PCI merchant levels are primarily used by the payment card industry to categorize businesses that handle payment cards and are based on the volume and type of cardholder transactions they process. Merchants that are classified at different levels are required to follow different reporting guidelines.

PCI merchant levels are determined by individual payment card companies. There is no industry-wide standard, though most companies define similar levels.

In most cases, such as Visa, four levels are defined that have varying requirements to demonstrate and document PCI DSS compliance. Discover is an exception and only categorizes businesses into three levels.

An example of PCI levels

We will use Mastercard’s PCI levels as an example of the way businesses are categorized by the payment card industry. MasterCard has defined four merchant levels based on the quantity of MasterCard transactions a business has conducted over the most recent 12-month period.

These levels determine the amount of assessment and security validation an entity must perform to maintain PCI-DSS compliance.

Level 1 applies to any merchant processing over six million MasterCard transactions per year using any credit card acceptance method. MasterCard can also classify a merchant as Level 1 at its discretion to minimize risks to its IT systems.
Level 2 is for merchants processing between one and six million MasterCard transactions per year using any credit card acceptance method.
Level 3 applies to merchants processing more than 20,000 ecommerce transactions annually but less than one million total MasterCard transactions using any credit card acceptance method.
Level 4 applies to all other merchants. Level 4 merchants need to comply with PCI DSS but may not be required to provide compliance validation. Merchants at Level 4 should consult with their acquiring bank to see if validation is required.

How do PCI levels affect compliance validation and reporting?

Companies subject to PCI DSS must conduct annual assessments to verify PCI compliance. However, the type of assessment required depends on its merchant level.

Level 1: Level 1 merchants are required to perform a PCI DSS assessment that results in the completion of a Report on Compliance (ROC). Assessments must be performed by a PCI SSC-approved Qualified Security Assessor (QSA) or a PCI SSC-certified Internal Security Assessor (ISA).
Level 2: Level 2 merchants are required to complete a Self-Assessment Questionnaire (SAQ) and must engage a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC-certified Internal Security Assessor (ISA).
Levels 3 & 4: Level 3 and 4 merchants are also required to complete an SAQ.

Level 2 through 4 merchants can choose to complete an ROC instead of an SAQ to further validate and document their compliance.

How data loss prevention enhances PCI DSS compliance

Data loss prevention (DLP) solutions can help companies comply with PCI DSS regulations. By enforcing an organization’s data handling policy, DLP supports the security required to maintain PCI compliance. The key is for companies to develop an effective data handling policy that incorporates compliance requirements.

Specifically, DLP addresses the following three PCI DSS requirements:

Protecting cardholder data is supported by DLP’s ability to restrict unauthorized access and use of sensitive data.
Encrypting data before transmission over an open network to prevent interception during transit. PCI DSS prohibits the transmission of unencrypted data over open networks.
Restricting access to cardholder data on a business need-to-know basis is also enforced by a DLP solution. Unauthorized users are restricted from accessing sensitive cardholder data. Some DLP solutions provide user training in real-time to educate employees on policies and best practices (a valuable supplement to your company's PCI compliance training).

Deploying a modern DLP solution

Do you know what the 5 key benefits of an effective DLP endpoint agent are?

✅ Data protection any time, any place, anywhere
✅ Increased data visibility
✅ More control over data user access permissions
✅ Identifies gaps in patch management
✅ Reduces data breaches
— Next DLP (@Next_DLP) February 27, 2023

The Reveal Platform by Next is an advanced DLP solution that helps companies protect their sensitive data resources and comply with PCI DSS requirements. It’s built with today’s technology and provides businesses with a cloud-native platform that supports flexibility, fast deployment, and immediate visibility into data resources.

Reveal is the first DLP platform that delivers machine learning on the endpoint. Featuring a smart agent that identifies and categorizes data at the point of risk, the tool also offers user training that supports the development of a security-conscious culture throughout the organization.

Contact Next and book a demo to see how this advanced DLP solution can increase your data security and help your organization remain compliant with PCI DSS.

Frequently asked questions

What constitutes a merchant under PCI DSS?

PCI DSS defines a merchant as any entity that processes credit card transactions using any acceptance method. Merchants are assigned levels that reflect the volume and type of transactions they process. In the world of ecommerce, virtually every company is considered a PCI DSS merchant.

How does my company demonstrate PCI compliance?

Companies have varying requirements related to PCI compliance, based on their merchant level. All merchants need to perform annual assessments to demonstrate compliance.

Level 1 merchants must complete a Report on Compliance (ROC).
Level 2 merchants must perform a Self-Assessment Questionnaire (SAQ) conducted by certified personnel.
Level 3 and 4 merchants must perform an SAQ.

Level 2 through 4 merchants can also choose to submit an ROC instead of an SAQ.

How is my organization’s merchant level determined?

Merchant levels are assigned by the merchant’s payment card processor and are based on the number of transactions a merchant has processed over the previous 52-week period. The payment card processor can raise the levels to a higher level if they believe the merchant’s environment poses security risks to cardholder data.