The PCI DSS (Payment Card Industry Data Security Standard) was enacted in 2004 to assure that all businesses that accept, handle, store, or transfer credit card information operate in a secure manner. PCI compliance is required for all merchants and service providers that process payment cards for in-store and e-commerce transactions.

PCI requirements differ depending on the number and type of credit card transactions a business processes per year; that transaction volume determines the level of PCI compliance a company must achieve. There are four levels of PCI compliance for merchants and two for service providers, all intended to protect the security of cardholder data and credit card data.

The PCI Security Standards Council (PCI SSC) established different compliance levels to acknowledge that credit card data security risks rise with the number of transactions a business processes. More transactions increase the security risk, and therefore more PCI compliance requirements apply.

PCI Compliance Level 1 Explained

There are four levels of PCI compliance. Level 1 is the highest and most stringent of the four.

Most people assume that the level of compliance is determined only by the volume of transactions an organization processes; that’s not quite right. Merchants and service providers that have suffered a compromise of credit card or cardholder data also must meet Level 1 requirements – regardless of how many payment card transactions they process, store, or transmit.

PCI compliance certification assures card data protection through a series of requirements defined by the PCI SSC. These include a variety of best practices, such as firewall deployment, data transport encryption, and the use of anti-virus software. Businesses must also limit access to credit card information and monitor network access permissions.

PCI compliance signals to customers that their transactions with your company are protected. In contrast, the penalties of non-compliance, both monetary and reputational, should be enough to persuade any business owner to prioritize data security.

How Do Level 1 Merchants Comply with PCI DSS?

To comply with PCI DSS, businesses at all levels must self-assess their controls by filling out a PCI DSS self-assessment questionnaire (SAQ) that the security standards council provides. Levels 2, 3, and 4 can achieve PCI compliance simply by completing the SAQ and meeting the corresponding requirements.

Level 1 merchants and service providers must also have a qualified security assessor (QSA) or internal security assessor perform an onsite audit every year. The assessor will review the SAQ and compare it with the findings from the onsite audit to complete an annual report on compliance.


Specific criteria qualify a business as a Level 1 merchant. Merchants must only meet one of these criteria to be considered Level 1, so your organization must be aware of the complete list:

  • Processes 6 million or more Visa, Mastercard, or Discover transactions annually;
  • Processes 2.5 million or more American Express transactions annually;
  • Processes 1 million or more JCB transactions annually;
  • Has suffered a data breach or cyberattack that resulted in a compromise of cardholder data;
  • Has been identified by another card issuer as Level 1.

Validation Requirements

If any of the above criteria are met, companies must perform a series of actions to validate their compliance with the PCI DSS. These are:

  • An annual report on compliance (ROC) by a qualified security assessor or internal security assessor;
  • A quarterly network scan by approved scan vendor (ASV);
  • Submission of completed Attestation of Compliance form.

Finally, merchants must report the audit results to their “acquiring bank,” defined as an “entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.”

What Is a Level 1 Service Provider?

In the PCI compliance world, a service provider is not a merchant or payment brand. Rather, the service provider is involved in the collection, processing, or transfer of credit card information on behalf of another company.

A service provider also includes businesses that control or potentially influence the protection of cardholder data. For example, managed service companies that provide firewalls, IDS/IPS, and other solutions, as well as hosting providers, are all examples of service providers within the realm of PCI compliance.


There are only two levels for service provider PCI compliance. The criteria and validation requirements for Level 1 service providers are simple: the provider processes, transmits, or stores more than 300,000 credit card transactions annually. Service providers with fewer than 300,000 transactions annually qualify for the less stringent Level 2 requirements.

Service Provider Validation Requirements

If the Level 1 criteria for identification are met, service providers must comply with several validation requirements for their compliance with PCI DSS:

  • Annual report on compliance by a qualified security assessor;
  • Network scans performed quarterly by an approved scanning vendor;
  • Penetration testing and internal scans;
  • Submission of completed Attestation of Compliance form.

Maintain PCI Compliance with ZenComply

Regardless of your regulatory environment, data security must be integrated into all aspects of your business. Instead of using spreadsheets to manage your compliance requirements, implement Reciprocity ZenComply to streamline evidence and audit management for all of your compliance frameworks.

Quality software can make PCI compliance accessible and more cost-efficient by outlining the requirements and providing tools to manage the documentation. Pre-loaded templates guide you through the process. Cross-mapping common requirements across multiple compliance frameworks simplifies evidence collection and reduces the workload on your team.

ZenComply is a single source of truth that assures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

ZenComply is ready to assist you in managing the whole lifecycle of all your essential cybersecurity risk management frameworks – the PCI standard, but also ISO, HIPAA, and others. The tools enable you to identify threats in real-time and take control measures before they become real problems.

Schedule a demo and get started on hassle-free PCI compliance – the Zen way!

How to Get the Most Out of
Your PCI Program

get free guide