Payment card industry (PCI) compliance refers to the technical and operational standards that organizations must follow to comply with the Payment Card Industry Data Security Standard (PCI DSS) and, in doing so, protect and secure cardholders’ payment card data — credit card and debit card data — during processing, storage, and transmission of cardholder data. 

The PCI Data Security Standard is an information security standard for companies that handle credit cards from the major card brands. The PCI DSS requirements aim to ensure that all companies that process, store, or transmit credit card information maintain secure environments. 

The PCI Security Standards Council (PCI SSC) developed the PCI standards for compliance. The PCI SSC is an independent body comprising Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. 

Although the PCI SSC administers and manages the PCI DSS, the payment brands and acquirers (the acquiring banks or financial institutions that give merchants the right to process credit and debit transactions) are responsible for enforcing compliance. 

While merchants are not mandated by law or regulation to adopt PCI standards, the major card brands do mandate its use via the banks and other organizations that process all credit card transactions. 

Non-compliance could result in the offender’s loss of the privilege of processing credit card transactions. Therefore, all merchants are required to follow PCI standards without exception. The requirements include establishing data security policies, maintaining a secure network and secure systems, and removing card data from processing systems and payment terminals.

Cardholder data includes credit and payment card numbers, account numbers, the cardholder’s name, the credit card’s security code and expiration date. 

The fact that an organization is PCI compliant isn’t an automatic guarantee that the company’s systems are secure; however, it is a major step in that direction. 

Levels of PCI Compliance

There are four PCI DSS compliance levels. Merchants are classified into levels based on their yearly transaction volume. The levels differ slightly by credit card brand, but compliance requirements for each merchant level are consistent. Generally, the greater number of transactions processed by a merchant, the more stringent the security controls they must follow. Note that there are four PCI merchant compliance levels and two service provider levels established in an effort to protect the security of credit card data and cardholder data.

Compliance with this important data protection standard involves many of the same security requirements required for other cybersecurity frameworks: use of anti-malware or antivirus software, secure firewall configuration, strong system passwords, a vulnerability management program that includes frequent vulnerability scans, strong access control measures both for virtual and physical access that restricts systems and data access to those with a business need, and more.

The PCI compliance levels are as follows:

Level 1: Any merchant processing over 6 million transactions per year across all channels or any merchant that has suffered a data breach. Additionally, credit card companies can upgrade any merchant to Level 1 at their discretion.

Level 2: Any merchant processing between 1 and 6 million transactions annually across all channels.

Level 3: Any merchant processing between 20,000 and 1 million e-commerce transactions per year.

Level 4: Any merchant, typically a small business, processing less than 20,000 e-commerce transactions annually or any merchant processing up to 1 million regular transactions per year.

The table below illustrates a sample of the different merchant levels (one through four) by card brand, based on transaction counts.

Merchant Levels Visa Mastercard American Express
Level 1 Merchant More than six million annual transactions More than six million annual transactions More than 2.5 million annual transactions
Level 2 Merchant Between one million and six million annual transactions Between one million and six million annual transactions Between 50,000 and 2.5 million annual transactions
Level 3 Merchant Between 20,000 and one million annual transactions Between 20,000 and one million annual transactions Less than 50,000 annual transactions
Level 4 Merchant Less than 20,000 annual transactions (e-commerce only) All other merchants N/A

Assessment Methods

The method used to assess compliance with PCI requirements differs depending on the type of business a merchant is performing and the merchant level they are currently at. While all merchants must perform some type of annual assessment, who performs the assessment and to what level of detail the assessment is performed is determined by the merchant level.

PCI-DSS assessments generally fall into one of three methods:

  • Qualified security assessor (QSA): QSAs are independent security companies that the PCI Security Standards Council has certified to validate whether an organization complies with PCI DSS. A QSA performs an assessment of an organization that handles credit card data against the control objectives of the PCI DSS. 
  • Internal security assessor (ISA): An ISA is an assessor internal to the organization being assessed. The ISA has also been certified by the PCI Security Council to perform PCI assessments, but only for their own organization.
  • Self-assessment questionnaire (SAQ): SAQs, are used by lower-level merchants (with fewer transactions) to perform a self-assessment of their compliance.  The type of PCI SAQ a company has to complete depends on the type of merchant and how it handles credit card payments, e.g., if the merchant outsources payment processing to a PCI DSS-compliant third party vendor.

Reports on Compliance and Attestation of Compliance

Assessments result in either a Report on Compliance (RoC), Attestation of Compliance (AoC), or both. The RoC and/or AoC are provided to the merchant’s credit card acquirer annually to prove their compliance with PCI requirements. As with the assessment methods, the proof of compliance method is determined by the merchant level and the requirements of the specific card brand. Higher-level merchants may also be required to provide quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV)

  • Report on Compliance (RoC): RoCs are only required for merchants in level 1 with more than 6 million transactions per year. The RoC is a form issued by the PCI regulatory body.
  • Attestation of Compliance (AoC) – An AoC is an attestation by a merchant that they are compliant with applicable requirements of the PCI-DSS.

The table below provides a sample of these requirements.

Merchant Levels Visa Mastercard
Level 1 Merchant
  • Annual RoC prepared by either a QSA or ISA
  • Quarterly ASV-performed scan
  • AoC (Attestation of Compliance) – an attestation by a merchant that they are compliant with applicable requirements of the PCI-DSS.  
  • Annual RoC prepared by either a QSA or ISA
  • Quarterly ASV-performed scan
  • AoC
Level 2 Merchant
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AoC
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AoC
Level 3 Merchant
  • AoC provided to service provider annually
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AoC
Level 4 Merchant
  • AoC provided to service provider annually (E-commerce merchants only)
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AoC