A PCI compliance guide for business

Today Businesses must follow the Payment Card Industry Data Security Standard if your company processes credit card or debit card payments (PCI DSS). Noncompliance could result in hefty fines and losing your ability to accept payment cards or handle credit card transactions, which could end practically any business. Credit card issuers, in general, demand PCI compliance to ensure the security of online transactions and to safeguard customers from identity theft. According to the PCI Compliance Security Standard Council, any merchant wishing to process, store, or transfer credit card data must be PCI compliant. The level of compliance is determined by the number of debit and credit card transactions companies conduct each year and the sorts of cards they accept. And whether or not they own experienced a breach or incident that resulted in credit card or cardholder data being compromised. Here are some of the listed Levels as follows.

Merchant level one:

Eligibility criteria:

  • Annually, it processes approximately 6 million Visa, Mastercard, and Discover transactions.
  • Annually, it processes over 2.5 million American Express transactions.
  • Annually, more than 1 million JCB transactions are processed.
  • Has there been a data breach or cyberattack that resulted in cardholder data being compromised OR
  • Another card issuer has classified it as Level 1.


  • A Qualified Security Assessor or an Internal Security Assessor must provide an Annual Report on Compliance every year.
  • Approved Scan Vendor conducts a quarterly network scan
  • Companies must submit the completed Attestation of Compliance Form

It is the highest and most demanding of the PCI DSS compliance levels, and it is the only one that requires an annual complete on-site audit. As a result, Level 1 merchants often need two years to become PCI compliant.

Merchant Level two:

Eligibility criteria:

  • 1 to 6 million MasterCard, Discover, or Visa transactions is processed per year.
  • Annually, the company processes between 50,000 and 2.5 million American Express transactions.
  • JCB transaction volume is less than 1 million per year
  • Has not been the sufferer of a data breach or attack that resulted in card or cardholder information loss.


  • Questionnaire for Annual Self-Evaluation (SAQ)
  • Approved Scan Vendor does a quarterly network scan.
  • Form for Compliance Attestation

At Level 2, merchants are not required to undertake an on-site audit unless they have experienced a data breach or hack that has resulted in the compromise of credit card or cardholder data. A Level 2 merchant’s acquiring bank may require an audit and ROC.

Level 2 merchants, on the other hand, can self-report by completing and submitting a Self-Assessment Questionnaire. They must also have their networks examined by an Approved Scan Vendor quarterly because PCI DSS compliance, like data security, is a continuous effort.

Merchant level 3:

Eligibility Criteria:

  • 20,000 to 1 million Visa e-commerce transactions are processed each year.
  • Processes 20,000 MasterCard e-commerce transactions each year
  • 20,000 to 1 million Discover card-not-present transactions are processed every year.
  • Fewer than 50,000 American Express transactions are processed each year AND
  • Has not been the prey of a data breach or cyberattack that exposed card or cardholder information.

It is worth noting that JCB is not a Level 3 card supplier. Level 2 merchants are defined as those who conduct fewer than 1 million JCB transactions per year.


  • A Level 3 merchant must meet the same validation standards as a Level 2 merchant:
  • Questionnaire for Self-Assessment Every Year
  • An Approved Scan Vendor conducts a quarterly network scan.
  • Form of Attestation of Compliance

Although Level 2 and 3 merchants are not required to commission an on-site audit or receive a ROC, some may choose to enhance their business profile or guarantee that their cardholder data environment is entirely secure.

Merchant level 4:

Visa and Mastercard have set Level 4 as the lowest level of PCI merchant compliance.

Eligibility criteria:

  • Annually, it processes less than 20,000 Visa or Mastercard e-commerce transactions.
  • Procedures for up to 1 million Visa or Mastercard credit card transactions in a single day
  • Has not been a data breach or incident that exposed card or cardholder information
  • Discover, American Express, and JCB does not have a Level 4 rating. Discover, American Express has three merchant tiers, while JCB has only two.


Level 4 merchants must comply with PCI DSS by meeting the standards of their acquiring bank. Typically, banks demand the following from Level 4 merchants:

  • Questionnaire for Self-Assessment Every Year
  • An Approved Scan Vendor conducts a quarterly network scan.

Service provider level 1:

A service provider is a corporation that processes, maintains, or transmits cardholder data on behalf of another company or offers services that may compromise cardholder data security. Managed firewalls, intrusion detection systems, intrusion prevention systems, data deletion services, and web hosting providers are companies that provide these services. Level 1 service providers have slightly different criteria and validation requirements than Level 1 merchants. PCI DSS-compliant service providers are required.

Eligibility criteria:

  • More than 300,000 credit card transactions are stored, processed, or transmitted each year.


  • A Qualified Security Assessor’s Annual Report on Compliance
  • An Approved Scanning Vendor does a quarterly network scan.
  • Test of Penetration
  • Internal Examine
  • Completion and submission of the Attestation of Compliance Form

Service provider level 2:


Fewer than 300,000 credit card transactions per year are processed, stored, or transmitted.


  • Questionnaire for Annual Self-Evaluation
  • An approved scan vendor does a quarterly network scan.
  • Testing for penetration
  • Examine the inside
  • Form for Compliance Attestation

Partners, clients, or other business partners may seek Level 2 service providers to certify their PCI DSS compliance through an on-site assessment by a Qualified Security Assessor or Internal Security Assessor and meet other, more strict Level 1 standards. They can also choose to be validated as a Level 1 provider to be listed on Visa’s Global Registry of Approved Service Providers.

Additional compliance considerations:

  • The compliance requirement applies to any point-of-sale technology, line-busting technology, or wireless local area network that stores, processes, or transmits payment card data. Suppose a company chooses to outsource its PCI DSS compliance to a third party. In that case, the merchant’s responsibility is to oversee and supervise the vendor to verify that the standard is followed.
  • If an e-commerce business outsources payment processing, it must use PCI DSS-validated third parties. They must also ensure that no cardholder data is stored, processed, or sent electronically on their systems or premises.
  • PCI DSS compliance should be considered by merchants who solely use imprint machines and standalone dial-out terminals with no electronic cardholder data storage.
  • Individual compliance requirements for merchants who use freestanding, PTS-approved terminals that connect to a payment processor through an IP address must be reviewed.
  • When a merchant manually types individual transactions into an internet-based terminal solution using a keyboard, the business must check for PCI DSS compliance with a PCI DSS validated by the third party.
  • PCI compliance is required if a merchant utilizes an internet-connected payment system that does not store electronic cardholder data.
  • Merchants who use hardware payment terminals that are part of a validated PCI SSC-listed P2PE solution and are managed by that solution must be compliant and verify that their vendor is compliant.

Final thoughts:

Finally, the primary purpose of the compliance is to provide tips on how to secure online businesses to protect the privacy and security of sensitive card data. Keep in mind that PCI compliance is not driven by transaction volume, and instead, each merchant is accountable for their client base. Overall, you can locate a payment provider that can handle any data and take care of all PCI compliance.