PCI Levels

0Tolerance is a listed Payment Card Industry (PCI) Qualified Security Assessor (QSA) and can help you understand the PCI Level 1 requirements.

PCI Levels

The PCI Data Security Standard (PCI DSS) is a contractual requirement set forth by the PCI Security Standards Council (PCI SSC) to protect cardholder data. It applies to any organization that stores, processes, or transmits cardholder data, regardless of the size or number of transactions. It also applies to organizations that impact the security of card transactions. The PCI DSS protects cardholder data by requiring organizations to implement security controls and best practices. Level 1 organizations must undergo annual third-party Qualified Security Assessor (QSA) audits to ensure that their security controls are effective and comply with the PCI DSS.

PCI Service Provider Levels

Service providers provide services to other organizations that handle cardholder data. Examples of service providers include payment processors, hosting providers, and managed service providers. Service Providers can be either Level 1 or Level 2. All Level 1 Service Providers must undergo a third-party QSA audit annually. Level 2 Service Providers have options for a third-party QSA audit or the Self-Assessment Questionnaire Type D for Service Providers.

PCI Service Provider Levels

Level 1

  • AmEx Service Provider that stores, transmits, or processes over 2.5 million AmEx transactions annually
  • Discover Service Providers that store, process, or transmit over 300,000 Discover transactions annually
  • Mastercard Third-Party Processors
  • Mastercard Staged Digital Wallet Operators
  • Mastercard Digital Activity Service Providers
  • Mastercard Token Service Providers
  • Mastercard 3-D Secure Service Providers
  • Mastercard AML/Sanctions Service Providers
  • Mastercard Installment Service Providers
  • Mastercard Data Storage Entities and Payment Facilitators with more than 300,000 total MC transactions annually
  • Visa Processor or Service Provider that stores, transmits, or processes over 300,000 Visa transactions annually

Level 2

  • AmEx Service Provider that stores, transmits, or processes 50,000 to 2.5 million AmEx transactions annually
  • Discover Service Providers that store, transmit, or process less than 300,000 Discover transactions annually
  • Mastercard Data Storage Entities and Payment Facilitators with 300,000 or fewer total MC transactions annually
  • Mastercard Terminal Service Providers
  • Visa Processor or Service Provider that stores, transmits, or processes less than 300,000 Visa transactions annually

PCI Merchant Levels

Merchants are organizations that accept payment cards from customers. They are responsible for ensuring that their payment systems are PCI DSS compliant. There are four levels of merchants based on transaction volume and how cards are accepted, ranging from Levels 1 through 4. Level 1 Merchants must undergo a third-party audit. Level 2 Merchants sometimes have third-party and self-assessment options. Levels 3 to 4 generally self-assess.

PCI Merchant Levels

Level 1

  • American Express merchant with 2.5 million or more AmEx transactions
  • Discover merchant processing 6 million or more Discover transactions annually
  • Mastercard merchant having more than 6 million total combined MC transactions annually
  • Visa merchant having more than 6 million total combined Visa transactions annually
  • Merchants that have suffered a hack or an attack that resulted in an account data compromise
  • Merchants deemed to be a Level 1 at the discretion of a payment brand due to their risk profile

Level 2

  • AmEx Merchant that stores, transmits, or processes 50,000 to 2.5 million AmEx transactions annually
  • Discover merchant processing between 1 million and 6 million Discover card transactions annually 
  • Mastercard merchant with more than 1 million but less than or equal to 6 million total combined MC transactions annually
  • Visa merchant with more than 1 million but less than or equal to 6 million total combined Visa transactions annually

Level 3

  • AmEx Merchant that stores, transmits, or processes 10,000 to 50,000 AmEx transactions annually
  • All other Discover merchants
  • Mastercard merchant with more than 20,000 combined MC e-commerce transactions annually but less than or equal to 1 million
  • Visa merchant with more than 20,000 combined Visa e-commerce transactions annually but less than or equal to 1 million

Level 4

  • All other Mastercard and Visa merchants
  • AmEx Merchant that stores, transmits, or processes less than 10,000 AmEx transactions annually
startup, business, people

QSA Services for Merchants and Service Providers

We perform the following engagements

PCI Penetration Testing

0Tolerance performs penetration testing and segmentation testing for PCI purposes.

Penetration testing 1
PCI Approved Scanning Vendor

PCI Approved Scanning Vendor

0 Tolerance offers an industry-leading ASV solution that has been customized to our needs for your benefit.

We Help you Avoid costly Payment Card Breaches