The Levels of PCI DSS Compliance

August 24, 2021

The Levels of PCI DSS Compliance

PCI DSS merchant compliance is built on four separate levels all dependant on the business you run and your transaction volume.

What are the four levels of PCI DSS compliance for merchants?

PCI DSS Compliance Level 1

Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by a PCI QSA (Qualified Security Assessor), they must undergo an internal audit once a year. In addition, once a quarter they must submit a quarterly network security scan by an Approved Scanning Vendor (ASV).

PCI DSS Compliance Level 2

Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a PCI DSS Self-Assessment Questionnaire (SAQ). Additionally, a quarterly network scan may be required. Use of a PCI QSA is optional.

PCI DSS Compliance Level 3

Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant Annual Self-Assessment Questionnaire. Quarterly scanning may also be required. Use of a PCI QSA is optional.

PCI DSS Compliance Level 4

Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed, and a quarterly network scan may be required. Use of a PCI QSA is optional.

Who enforces the 4 levels of PCI DSS compliance?

PCI DSS compliance is enforced by individual payment brands or acquiring banks. Some businesses rely on an internal auditor to enforce their PCI compliance. However, Cardstream are validated to Level 1 Service Provider status and work closely with an external QSA Company to ensure we are meeting PCI DSS and PCI 3DS compliance.

The PCI DSS Service Provider Level 1 security features that the Cardstream platform offers:

1. Application code reviews
2. Assessment of app security
3. Integrated Fraud Protection
4. Velocity Checks
5. 3DSV2
6. Hosted Solutions
7. Tokenisation

Do I need vulnerability scanning to validate compliance?

If you qualify for certain self-assessment Questionnaires (SAQs) or you electronically store cardholder data post authorisation, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required to maintain compliance. If you qualify for any of the following SAQs under version 3.2.1 of the PCI DSS, then you are required to have a passing ASV scan:

• SAQ D-Merchant
• SAQ D-Service Provider

If I only accept payment cards over the phone, does PCI DSS still apply to me?

Yes. All businesses that store, process or transmit payment cardholder data must be PCI DSS compliant. If you accept card payments over the phone (MOTO transactions), this still applies. As a PCI DSS compliant business, Cardstream will always ensure the highest possible cardholder data security standards when you carry out MOTO transactions.

How does Cardstream help organisations achieve and maintain PCI DSS compliance?

Cardstream has a range of tools to help merchants maintain their PCI DSS compliance. For example, our Hosted Form solution which would require the merchant to fill out an SAQ-A, will ensure that the merchant meets PCI DSS compliance, with the minimum requirements set, in order to process payments securely. If the merchant, however, chooses to utilise a direct integration where the cardholder data would be collected in the merchant’s own business environment, the merchant should already be operating a PCI DSS compliant environment. If they are not, this may lead to additional costs and administrative overhead to maintain their own PCI DSS secure environment.

We also offer other PCI DSS compliant tools such as, tokenisation which involves the collecting, storing and processing of arbitrary data linked to cardholder data and finally, the secure virtual terminal which allows merchants to securely process a MOTO transaction in a PCI DSS secure way.

Please click here to read our blog on PCI DSS compliance.

For more information about PCI DSS, contact