The Payment Card Industry Data Security Standard (PCI DSS) was enacted in 2004 to assure that all businesses that accept, handle, store, or transfer credit card information operate securely. PCI compliance is required for all merchants and service providers that process payment cards for in-store and e-commerce transactions.

PCI requirements differ depending on the number and type of credit card transactions business processes per year; that transaction volume determines the level of PCI compliance a company must achieve. There are four levels of PCI compliance for merchants and two for service providers, all intended to protect the security of cardholder data and credit card data.

The PCI Security Standards Council (PCI SSC) established different compliance levels to acknowledge that credit card data security risks rise with the number of transactions a business processes. More transactions increase the security risk, so more PCI compliance requirements apply.

What are PCI DSS and PCI Compliance?

PCI DSS is a set of security standards and best practices designed to ensure that companies and organizations that handle credit card transactions maintain a secure environment. The PCI DSS was created to protect the sensitive data associated with payment cards, such as credit and debit cards, and to reduce the risk of data breaches and fraud.

PCI Compliance, on the other hand, refers to an organization’s adherence to the PCI DSS requirements and standards. Achieving PCI Compliance means that a business or entity has implemented the necessary security measures and procedures to protect payment card data.

The PCI DSS is maintained and governed by the Payment Card Industry Security Standards Council (PCI SSC), which is an organization founded by major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB International. The council periodically updates the PCI DSS to address evolving security threats and technologies.

PCI DSS consists of requirements and security controls covering various aspects of data security, including network security, access control, encryption, vulnerability management, and more. These requirements are organized into several categories, including:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

To achieve and maintain PCI Compliance, organizations that handle payment card data must follow these requirements, and they may be subject to periodic assessments or audits by Qualified Security Assessors (QSA) or internal security teams. 

Overall, compliance with PCI DSS and PCI Compliance plays a crucial role in safeguarding sensitive payment card data and maintaining the trust of consumers and the payment card industry.

Levels of PCI Compliance

PCI Compliance categorizes businesses and service providers into different levels, customizing them according to their annual transaction volume and size. Merchants striving to attain and uphold PCI DSS compliance levels should thoroughly understand their specific compliance tier. These levels fall into four categories:

  • PCI Compliance Level 1: This level applies to large businesses that process roughly six million credit card transactions annually. It also extends to service providers managing over 300,000 transactions annually. Level 1 compliance imposes more rigorous requirements.
  • PCI Compliance Level 2: Tailored for mid-to-large-sized businesses processing one to six million credit card transactions annually. It also encompasses service providers handling less than 300,000 transactions.
  • PCI Compliance Level 3: Customized for small-to-mid-sized businesses conducting a range of 20,000 to one million credit card transactions annually.
  • PCI Compliance Level 4: Created for smaller businesses with an annual credit card transaction volume of fewer than 20,000.

Compliance levels directly impact the validation methods that merchants must follow. Depending on the PCI level, these validation methods may involve submitting various forms and assessments. Specifically, Level 1 PCI Compliance typically demands more extensive validation requirements, such as the Report on Compliance (PCI ROC) forms. In contrast, the other levels may entail different Self-Assessment Questionnaires (PCI SAQ) and validation criteria.

What Does PCI DSS Level 1 Mean for Your Business?

Achieving PCI DSS Level 1 certification isn’t just about meeting industry standards; it’s a powerful statement of your business needs and commitment to data security and consumer trust. 

This certification shields your business from expensive non-compliance penalties and opens doors to favorable negotiations with financial institutions. Here’s a closer look at the advantages of PCI DSS Level 1 certification for your business:

  1. Avoid Costly Fines: Maintaining PCI DSS Level 1 compliance safeguards your business from steep fines that could result from security breaches.
  2. Rigorous Security Checks: Hosting services include quarterly scans conducted by PCI-approved ASVs (Approved Scanning Vendors) to ensure your infrastructure remains secure.
  3. Proactive Issue Resolution: Any encoding or configuration-related concerns identified during ASV scans are promptly addressed, maintaining the integrity of your systems.
  4. External Penetration Testing: Annual penetration testing by an external party adds an extra layer of security, evaluating the robustness of your infrastructure.
  5. Full Compliance: Hosting services are tailored to provide a PCI DSS Level 1 hosting platform that aligns with all 12 PCI requirements, leaving no room for vulnerabilities.
  6. Reduced Fraud Risk: PCI compliance significantly reduces the risk of fraud, protecting both your business and your customers.
  7. Boost Consumer Confidence: Displaying the PCI DSS logo on your website assures online shoppers that their data is safe, instilling confidence and trust in your business.

Incorporating PCI DSS Level 1 certification isn’t just about meeting regulatory demands; it’s a strategic move that can enhance your business’s reputation and strengthen customer relationships.

PCI Compliance Level 1 Explained

There are four levels of PCI compliance. Level 1 is the highest and most stringent of the four.

Most assume compliance is determined only by the volume of transactions an organization processes; that needs to be corrected. Merchants and service providers that have suffered a compromise of credit card or cardholder data also must meet Level 1 requirements – regardless of how many payment card transactions they process, store, or transmit.

PCI compliance certification assures card data protection through a series of requirements defined by the PCI SSC. These include a variety of best practices, such as firewall deployment, data transport encryption, and the use of anti-virus software. Businesses must also limit access to credit card information and monitor network access permissions.

PCI compliance signals to customers that their transactions with your company are protected. In contrast, the penalties for non-compliance, both monetary and reputational, should be enough to persuade any business owner to prioritize data security.

How Do Level 1 Merchants Comply with PCI DSS?

To comply with PCI DSS, businesses at all levels must self-assess their controls by filling out a PCI DSS Self-Assessment Questionnaire (SAQ) that the Security Standards Council provides. Levels 2, 3, and 4 can achieve PCI compliance simply by completing the SAQ and meeting the corresponding requirements.

Level 1 merchants and service providers must also have a Qualified Security Assessor (QSA) or internal security assessor perform an onsite audit annually. The assessor will review the SAQ and compare it with the findings from the onsite audit to complete an annual compliance report.


Specific criteria qualify a business as a Level 1 merchant. Merchants must only meet one of these criteria to be considered Level 1, so your organization must be aware of the complete list:

  • Processes 6 million or more Visa, Mastercard, or Discover transactions annually;
  • Processes 2.5 million or more American Express transactions annually;
  • Processes 1 million or more JCB transactions annually;
  • Has suffered a data breach or cyberattack that resulted in a compromise of cardholder data.

Validation Requirements

If any of the above criteria are met, companies must perform a series of actions to validate their compliance with the PCI DSS. These are:

  • An annual Report On Compliance (ROC) by a qualified security assessor or internal security assessor;
  • A quarterly network scan by an Approved Scan Vendor (ASV);
  • Submission of completed Attestation of Compliance form.

Finally, merchants must report the audit results to their “acquiring bank,” defined as an “entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.”

What Is a Level 1 Service Provider?

A service provider is not a merchant or payment brand in the PCI compliance world. Instead, the service provider collects, processes, or transfers credit card information on behalf of another company.

A service provider also includes businesses that control or potentially influence the protection of cardholder data. For example, managed service companies that provide firewalls, IDS/IPS, other solutions, and hosting providers are all examples of service providers within PCI compliance.


There are only two levels for service provider PCI compliance. The criteria and validation requirements for Level 1 service providers are simple: the provider processes, transmits, or stores more than 300,000 credit card transactions annually. Service providers with fewer than 300,000 transactions annually qualify for the less stringent Level 2 requirements.

Service Provider Validation Requirements

If the Level 1 criteria for identification are met, service providers must comply with several validation requirements for their compliance with PCI DSS:

  • Annual report on compliance by a qualified security assessor;
  • Network scans are performed quarterly by an approved scanning vendor;
  • Penetration testing and internal scans;
  • Submission of completed Attestation of Compliance form.

Maintain PCI Compliance with ZenGRC

Instead of using spreadsheets to manage your compliance requirements, implement RiskOptics ZenGRC to streamline evidence and audit management.

Quality software can make PCI compliance accessible and cost-efficient by outlining the requirements and providing tools to manage the documentation. Pre-loaded templates guide you through the process. Cross-mapping standard conditions across multiple compliance frameworks reduces your team’s workload.

ZenGRC is ready to assist you in managing the whole lifecycle of all your essential cybersecurity risk management frameworks – the PCI standard, ISO, HIPAA, and others. The tools enable you to identify threats in real time and take control measures before they become real problems.

Schedule a demo and get started on hassle-free PCI compliance – the Zen way!

How to Get the Most Out of
Your PCI Program

get free guide