Identify your PCI Compliance Level

Are you a merchant, a service provider or both? Learn how to identify your PCI compliance level. Protecting cardholder data is a top priority in today’s digital payment landscape, and the Payment Card Industry Data Security Standard (PCI DSS) serves as the foundation for securing transactions. PCI DSS is a global framework designed to prevent credit card fraud by enforcing strict security measures for storing, processing, and transmitting payment data. While PCI DSS compliance is not a legal requirement, any organization processing cardholder data must comply with it. Thus, any organization handling credit or debit card transactions—regardless of size—must adhere to these standards to maintain compliance and protect customer trust. To streamline compliance validation, PCI DSS classifies businesses into two main categories:

• Merchants – businesses that accept card payments for goods or services.
• Service Providers – entities that process, store, or transmit cardholder data on behalf of merchants or other service providers.

However, compliance isn’t always straightforward. Some businesses fall into both categories, which complicates the process of determining PCI requirements. Additionally, PCI DSS further divides merchants and service providers into multiple compliance levels based on their annual transaction volume, adding another layer of complexity. Misjudging transaction volume, overlooking key payment methods, or misunderstanding whether a business qualifies as a merchant or service provider can lead to compliance gaps, security risks, and even financial penalties. Non-compliance can result in lost contracts, fines, and weakened security controls—all of which put a business’s reputation and operations at stake. In this article, we’ll break down how an organization’s PCI DSS classification and compliance level determine which security requirements apply, helping businesses navigate their path to compliance with clarity and confidence.

PCI Merchants

A PCI merchant is any entity that accepts payment cards of any of the five brands - American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. - as payment for goods and/or services. Identifying your business as a merchant is relatively easy. If you have a merchant agreement with an acquiring bank - you are a merchant by the PCI DSS definition. Every merchant gets a merchant identification number (MID) - a unique code that allows the processing of card payments. However, understanding the PCI merchant’s level is a bit more complicated. This is because there are 4 PCI merchant levels that define further PCI compliance implications. Let’s review these levels in detail:

PCI Merchant Level 1

PCI merchants level 1 include the entities with over 6 million transactions annually across all channels, or any merchant that has had a data breach. Due to their size and risk exposure, Level 1 merchants must complete a rigorous PCI DSS validation process, which includes:

• Annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA)
• Attestation of Compliance (AOC) to verify adherence to PCI DSS.

Confused with all these abbreviations above? Read our article RoC, AoC, And Other Elements Of PCI DSS Compliance.

PCI Merchant Level 2

Merchants classified under PCI Level 2 process between 1 to 6 million transactions annually across all sales channels. While they do not fall into the highest-risk category, their transaction volume still requires rigorous compliance measures to protect cardholder data. Unlike Level 1 merchants, Level 2 businesses may have some flexibility in their compliance approach but must still adhere to essential PCI DSS security standards. Their requirements include:

• Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) (if mandated by the acquirer);
• Attestation of Compliance (AOC).

By staying proactive, they can maintain a secure payment environment, avoid penalties, and build trust with their customers.

PCI Merchant Level 3

PCI Level 3 merchants are typically Small and Mid-Sized Businesses (SMBs) that conduct a moderate volume of online transactions—between 20,000 and 1 million online transactions annually. While Level 3 merchants have fewer compliance obligations compared to the higher levels, they must still meet key PCI DSS requirements to protect cardholder data:

• Self-Assessment Questionnaire (SAQ) or ROC if required by the acquirer
• Attestation of Compliance (AOC)

Important Note: Compliance requirements can change if a Level 3 merchant experiences a data breach. If cardholder information is compromised, the merchant may face penalties and be required to meet PCI Level 1 requirements, which include a full third-party security assessment.

PCI Merchant Level 4

Level 4 merchants include small local businesses that process fewer than 20,000 credit card transactions per year for e-commerce or 1 million or fewer transactions for all other channels. These are businesses handling a limited number of credit card transactions. Their transaction volumes are low and, therefore, their security risk is considered to be low. They typically need:

• SAQ (as required by the acquirer)
• Attestation of Compliance (AOC).

PCI Service Providers

A PCI service provider is any entity that is not a payment brand but is directly involved in the storage, processing, or transmission of cardholder data on behalf of another entity. Service providers also include vendors that control or could impact the security of cardholder data. In simple terms, service providers are third-party vendors who assist merchants with the storage, processing, or/and transmission of cardholder data. Similar to merchants, service providers also have PCI compliance levels (2) which are based on the number of transactions they complete per year. Below is a breakdown of Level 1 and Level 2 service providers based on their business category.

Level 1 Service Providers

Level 1 service providers store, transmit, or process more than 300,000 credit card transactions annually. To validate their PCI DSS compliance, these service providers should have:

• Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA)
• Attestation of Compliance (AOC)

Level 2 Service Providers

PCI service providers Level 2 transmit or process less than 300,000 credit card transactions per year. They typically need:

• Self-Assessment Questionnaire (SAQ-D for Service Providers) or ROC if required by the acquirer
• Attestation of Compliance (AOC)

Merchants and service providers can check their compliance level by consulting their merchant services provider or using the reporting tools provided by the provider.

Dual-Role Businesses

Some businesses operate as both a merchant and a service provider under PCI DSS, meaning they must comply with the requirements for both roles. If an entity accepts credit or debit card payments for products or services, it is considered a merchant under PCI DSS. Simultaneously, this entity can be qualified as a service provider if it stores, processes, or transmits cardholder data on behalf of another business or provides payment-related services (e.g., payment gateways, hosting, or payment processing). Examples of the dual-role entities include:

• a hosting provider that accepts credit card payments for its own services;
• a retailer with its own payment processing system that processes transactions for franchisees or partners;
• a SaaS company offering a subscription service while also handling payment transactions for other businesses (service provider role).

Compliance Requirements and Key Considerations

The dual-role businesses under PCI DSS must ensure that both their own transactions and those they handle for clients meet PCI DSS standards:

• the entity must validate compliance separately for both roles, following the applicable PCI DSS requirements for merchants and service providers.
• some service providers must undergo an independent assessment (ROC) instead of a self-assessment (SAQ).

Understanding your entity status under PCI DSS is highly important as it directly impacts the PCI compliance validation process.

Challenges

Distinguishing PCI DSS compliance levels is not always straightforward, and mistakes in classification can lead to serious consequences such as compliance failures, security gaps, or lost business opportunities. Here are the key challenges businesses face when determining their correct PCI DSS level:

1. Misjudging transaction volume

PCI compliance levels are primarily based on the number of annual transactions processed. However, many businesses fail to accurately track this volume across all payment channels. For instance, a company might only count in-store transactions and overlook online or mobile payments, leading to an incorrect classification. A business processing 7 million transactions annually might mistakenly assume it falls under PCI Level 2 when it actually qualifies as a Level 1 merchant, requiring more rigorous assessments.

2. Ignoring brand-specific requirements

While PCI DSS provides a general framework, each card brand (Visa, Mastercard, Discover, etc.) has its own guidelines for defining compliance levels. A business might think it qualifies for Level 3 under one card brand and then discover that another requires it to meet Level 2 standards. This lack of clarity can lead to unnecessary compliance delays, unexpected costs, or even penalties from payment processors.

3. Not accounting for data breaches

A business that has experienced a data breach is often required to follow stricter compliance measures, regardless of transaction volume. For example, a small e-commerce store processing only 30,000 transactions a year might be forced to comply with Level 1 standards after a security breach.

4. Confusing merchant vs. service provider roles

Many companies provide payment-related services while also processing transactions for their own sales. A SaaS company offering subscription billing solutions might think it is just a merchant, but if it handles payments for other businesses, it also qualifies as a service provider. This dual role means it must meet dual compliance requirements for both merchants and service providers.

5. Failure to update compliance status

A business experiencing rapid growth may surpass its current compliance level threshold without realizing it. A startup initially classified as a Level 4 merchant (fewer than 20,000 online transactions) may grow beyond 1 million annual transactions, requiring it to move up to Level 3 or 2. If the company fails to reassess its PCI obligations, it risks falling out of compliance, facing penalties, and damaging customer trust.

Boost your PCI Compliance Validation Efforts with Planet 9

Unsure where to start with PCI DSS compliance? Planet 9 provides expert guidance to help your business meet compliance requirements, avoid costly fines, demonstrate a commitment to data security, and strengthen customer confidence—all while taking a cost-effective approach tailored to your needs. Depending on the size of the company and the volume of annual credit card transactions, we’ll assist your business in achieving PCI DSS compliance through the following steps:

• Initial assessment: Conduct a kickoff session to analyze the types and volumes of credit card transactions.
• Security maturity evaluation: Assess your organization’s current security posture to establish a baseline and determine gaps and remediation strategies for achieving compliance.
• Validation requirement analysis: Identify the necessary PCI DSS validation path (SAQ, ROC, AOC) based on transaction volumes and accepted credit card brands.
• Compliance planning: Develop a comprehensive PCI DSS compliance strategy tailored to your security maturity and validation requirements.
• Validation process support: Assist your organization in the annual compliance validation and attestation process.
• Ongoing compliance guidance: Provide expert advice on preparing for future validation efforts.

Book a free consultation or contact the Planet 9 team for help to define your PCI compliance level and achieve compliance We’ll be happy to assist!