Summary: 

PCI compliance requirements vary based on annual credit card processing volume (Visa and MasterCard) and have different validation requirements for each level.  

  • Level 1 - Volume > $6M per year
  • Level 2 - Volume between $150,000 and $6M per year
  • Level 3 - Volume between $20,000 and $150,000 per year
  • Level 4 - Volume < $20,000 per year All merchants that do not fall into Levels 1, 2 or 3


Full Details: 

The Payment Card Industry Data Security Standard (PCI-DSS) is a comprehensive set of security standards created by the major card associations to ensure the protection of cardholder data globally.  Compliance with PCI-DSS standards is mandatory for all merchants, service providers, acquirers and processors.  PCI compliance requirements vary by processing volume.

Level 1:

  • Processing > $6 million in Visa or MasterCard transaction volume per year
  • Annual 3rd Party Onsite Review
  • Quarterly 3rd Party Security Scans for External IP Addresses

Level 2:

  • Processing between $150,000 and $6 million in Visa or MasterCard transactions per year
  • Annual Self Assessment
  • Quarterly 3rd Party Security Scans for External IP Addresses

Level 3:

  • Processing between $20,000 and $150,000 in Visa or MasterCard transactions per year
  • Annual Self Assessment
  • Quarterly 3rd Party Security Scans for External IP Addresses

Level 4:

  • All businesses not included in Levels 1, 2 or 3
  • Annual Self Assessment – recommended
  • Quarterly Security Scans – recommended