The PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect customer card information. If your business accepts, stores, processes, or transmits card data, you must comply with PCI DSS standards.
What determines your PCI compliance level?
PCI DSS compliance levels are based on your annual transaction volume. The PCI Security Standards Council assigns businesses to one of four levels, with higher transaction volumes requiring more stringent security validation:
Level 1: Over 6 million transactions annually
Also includes: Any merchant that has experienced a data breach
Requirements: On-site security assessment by qualified assessor, network penetration testing
Most complex compliance process
Level 2: 1-6 million transactions annually
Requirements: Self-assessment questionnaire, network vulnerability scanning, attestation of compliance
Annual external security validation required
Level 3: 20,000-1 million transactions annually
Requirements: Self-assessment questionnaire, network vulnerability scanning (if applicable), attestation of compliance
Self-directed compliance process
Level 4: Under 20,000 e-commerce transactions OR under 1 million other transactions annually
Requirements: Self-assessment questionnaire, network vulnerability scanning (if storing card data), attestation of compliance
Simplest compliance process
Key points to remember:
- All levels must meet the same security standards - only the validation process differs
- Transaction volume includes all payment channels (in-person, phone, online, mail)
- E-commerce transactions have lower thresholds due to higher risk
- Your payment processor or acquiring bank determines your specific requirements
- Higher levels face more expensive and complex validation processes
The main goal across all levels remains the same: protect customer card information and prevent data breaches that can devastate businesses through fines, lawsuits, and lost customer trust.