PCI Compliance Level 4 is the lowest level of compliance under the Payment Card Industry Data Security Standard (PCI DSS). Level 4 applies to merchants that process fewer than 20,000 Visa or Mastercard e-commerce transactions per year or up to 1 million total Visa or Mastercard credit card transactions and that have not suffered a data breach or attack that compromised card or cardholder data.

Neither Discover, American Express, or JCB has a Level 4 designation. Discover and American Express stop at Level 3; JCB has just two merchant levels.

Merchants that qualify as Level 4 must achieve PCI DSS compliance by meeting their acquiring bank’s requirements. Typically, they must:

  •     Complete a Self-Assessment Questionnaire (SAQ)
  •     Have an Approved Scanning Vendor (ASV) conduct quarterly network scans

Unlike merchants in higher levels (Levels 1, 2, or 3), Level 4 merchants do not need an onsite audit by a Qualified Security Assessor or a Record of Compliance, and usually do not need to fill out an Attestation of Compliance.

There is no Level 4 for service providers, which also must be PCI compliant. Service providers perform payment, internet or other services for merchants or banks, and those services involve processing, storing, or transmitting credit card data.


What is PCI DSS?

The PCI Security Standards Council (PCI SSC), representing financial institutions, merchants, processor companies, software developers, and point-of-sale vendors, developed PCI DSS in 2004 to safeguard credit card and cardholder data against breach and other forms of unauthorized access. 

To process, store, or transmit credit card data, merchants and payment or internet service providers must be PCI compliant. Otherwise, they face strict penalties including fines and possible loss of credit card privileges.