The Payment Card Industry Data Security Standard (PCI DSS) Level 2 merchants process between 1 and 6 million Visa, Mastercard, and Discover transactions yearly, 50,000 to 2 million American Express sales, and fewer than 1 million JCB International credit card transactions. 

Service providers–entities that process credit card payments for merchants and their financial institutions (also known as “acquiring banks”) or that handle card and cardholder data in some other capacity, such as data destruction–qualify as PCI Compliance Level 2 if they process, store, or transmit fewer than 300,000 total card transactions annually.

Suppose your enterprise qualifies as merchant Level 2 or service provider Level 2. In that case, it won’t need a yearly onsite audit by a Qualified Security Assessor or a resulting Report on Compliance to demonstrate PCI DSS compliance. Only level 1 entities need the audit.

Instead, merchants in levels 2, 3, and 4 may submit a completed Self-Assessment Questionnaire to the PCI Security Standards Council (PCI SSC) and perform a few other tasks before making an Attestation of Compliance. However, with as many as 281 requirements to address and other required tasks, becoming PCI compliant can take Level 2 entities an entire year or more.

What is PCI DSS?

The payment card industry—particularly credit card brands Visa, Mastercard, American Express, Discover, and JCB—leads the Security Standards Council. It developed the PCI DSS framework in 2004 to ensure the security of credit card data and cardholder data, in particular, e-commerce transactions.

Recognizing that different organizations have different security risks, however, the council established four merchant levels and two service provider levels. Level 1 is the most stringent for entities processing 6 million or more credit card transactions per year (as well as those that have suffered a data breach) and service providers handling more than 300,000 transactions annually.

What is PCI DSS Level 2?

PCI DSS compliance is vital for businesses entrusted with cardholder data, ensuring the highest security standards are upheld. PCI DSS Level 2, an integral classification within this framework, is particularly relevant for merchants and service providers managing 1 to 6 million Visa transactions annually. To maintain the trust of your customers and safeguard sensitive payment card data, a thorough understanding of the specific PCI DSS requirements and security parameters associated with Level 2 is paramount.

PCI DSS Level 2 extends the overarching PCI DSS framework, incorporating essential security principles while introducing tailored criteria and best practices for mid-sized organizations. 

With a strong focus on security, Level 2 aligns with fundamental PCI DSS requirements, including stringent authentication, penetration testing, and the implementation of anti-virus software. The compliance process is a collaborative effort involving Qualified Security Assessors (QSAs) and service providers, necessitating robust risk assessments and secure network configurations. 

PCI DSS 2.0 brings new requirements to bolster data protection in e-commerce, point-of-sale systems, and payment applications, emphasizing the importance of adhering to Payment Application Data Security Standard (PA-DSS) and collaborating with Approved Scanning Vendors (ASVs) to identify vulnerabilities.

Who needs to comply with PCI DSS Level 2?

Merchant Level 2 generally applies to merchants processing, storing, or transmitting 1 million or more transactions (up to 6 million) per year. That’s the PCI DSS standard. But the major credit cards also have their designated merchant levels, so your organization’s designation depends partly on which cards it accepts.

Filling out and submitting a Self-Assessment Questionnaire—a lengthy process with as many as 281 requirements to address—is one of several tasks those in PCI compliance Level 2 must complete before completing their Attestation of Compliance.

The PCI DSS compliance criteria and requirements for merchant and service provider Level 2 are:



  • Process 1 million to 6 million Mastercard, Discover, or Visa transactions per year
  • Process 50,000 to 2.5 million American Express transactions annually
  • Process fewer than 1 million JCB transactions annually

Validation Requirements:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by PCI SSC-Approved Scan Vendor
  • Attestation of Compliance Form

Service providers


  • Process, store, or transmit fewer than 300,000 credit card transactions per year

Validation requirements:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by an Approved Scan Vendor
  • Penetration test
  • Internal scan
  • Attestation of Compliance Form

Service providers that qualify as Level 2 may be asked by partners, clients, or other business partners to validate their PCI DSS compliance with an onsite audit by a Qualified Security Assessor or Internal Security Assessor and meet other, more stringent, Level 1 criteria. Also, they may opt to validate as a Level 1 provider to be included on Visa’s Global Registry of Approved Service Providers.

What are the benefits of PCI DSS Level 2?

PCI DSS Level 2 offers a range of benefits beyond just compliance, enhancing your overall cybersecurity posture. Here’s how Level 2 can protect your Cardholder Data Environment (CDE) and bolster your cyber defenses:

  1. Robust Cybersecurity: Level 2 compliance mandates strong access control measures, default security parameters, and integration of the latest cybersecurity methodologies. This ensures a robust defense against threats, including malware and potential vulnerabilities.
  2. Enhanced Network Security: Level 2 requires the implementation of firewalls, especially in the CDE. This secures your system components and prevents unauthorized access, safeguarding sensitive data from breaches.
  3. Lifecycle Integrations: Compliance encourages the incorporation of security throughout the lifecycle of your processes and systems. This proactive approach helps identify and address security risks early, ensuring data protection at every point.
  4. Keeping Up with the Latest Standards: Level 2 aligns with new PCI DSS versions such as PCI DSS v4.0, ensuring your compliance stays up-to-date with evolving industry requirements and emerging threats.
  5. Robust Access Control: Maintaining Level 2 compliance necessitates strong access control measures and a defined information security policy. This guarantees that only authorized personnel can access cardholder data and other sensitive information.
  6. Protection against Data Breaches: By following Level 2 requirements, your organization is better prepared to prevent data breaches and the unauthorized transmission of cardholder data. This safeguards your reputation and financial stability.
  7. Compliance Integration: Being Level 2 PCI DSS compliant enhances your integration capabilities, enabling secure connections with stakeholders and systems while addressing Frequently Asked Questions (FAQs) regarding cardholder data security.
  8. Efficient Data Retention: Level 2 compliance supports efficient data retention processes, which ensures the appropriate handling of data and contributes to maintaining a secure environment.
  9. Strong Relationships with Stakeholders: Compliance strengthens your relationships with stakeholders, including payment processors. Adhering to Level 2 requirements demonstrates your commitment to protecting cardholder data and complying with industry standards.

ZenGRC Offers PCI Compliance Solutions

Step away from the spreadsheet chaos and welcome a new era of streamlined compliance with RiskOptics ZenGRC. Achieving and maintaining PCI compliance has never been easier or more cost-effective. Our quality software simplifies the process, offering precise requirements and intuitive tools for efficient documentation management. Pre-loaded templates guide you through every step, reducing your team’s workload.

This not only simplifies the compliance journey but also ensures you’re ready to manage the whole lifecycle of your essential cybersecurity risk management frameworks. With ZenGRC, real-time threat identification and preemptive control measures are at your fingertips, helping you tackle potential issues before they become real problems.

Schedule a demo today and discover how ZenGRC can transform your compliance efforts, making them efficient, accessible, and cost-efficient.