Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

What is PCI-DSS Level 1?

PCI-DSS compliance is essential for any business that handles credit card data during transactions. As these payments are frequently targeted by cyber attackers, it’s important for both your customers and your business to ensure your security systems are watertight.

Businesses trying to obtain PCI-DSS compliance will need to ensure they are following the appropriate standards. Depending on the size and scale of your business, you will fall under one of the four following PCI-DSS merchant levels:

  • Level 1 covers merchants that process over 6 million card transactions a year.
  • Level 2 covers merchants that process 1 million to 6 million transactions a year.
  • Level 3 covers merchants that process 20,000 to 1 million transactions a year.
  • Level 4 covers merchants that process fewer than 20,000 transactions a year.

PCI-DSS Level 1 requirements differ greatly from the other three levels, so these must be carefully observed and understood.

What is PCI-DSS Level 1?

Of the four merchant levels, PCI-DSS Level 1 is the highest – meaning relevant businesses have the strictest requirements to adhere to.

As a rule of thumb, merchants who process over six million transactions a year qualify for PCI-DSS Level 1. However, different card issuers have different criteria for Level -1, so it’s important to consider which of these is relevant:

VISA, Mastercard, and Discover:

  • Merchants with more than 6 million transactions annually.
  • Service providers with more than 300,000 transactions annually.

American Express:

  • Merchants with more than 2.5 million transactions annually.
  • Service providers with more than 300,000 transactions annually.


  • Merchants with more than 1 million transactions annually.
  • Service providers with more than 300,000 transactions annually.

Although this level is primarily for businesses operating on a large scale, merchants of any size who have suffered a significant breach of cardholder data will also have to comply with Level 1 requirements.

How do merchants become PCI-DSS Level 1 compliant?

The first step in the PCI-DSS Level 1 compliance process is to complete a PCI-DSS Self-Assessment Questionnaire (SAQ). This form is provided by the PCI Security Standards Council (SSC) and allows the business to self-assess its controls.

Following this on-site audit, your business will be required to notify the receiving bank of the results, as buyers also need to follow payment mark rules and procedures.

You will then need to obtain an Annual Report on Compliance (ROC) prepared by a Qualified Security Auditor (QSA).

Several steps need to be taken to complete an ROC. A QSA will need to assess your point-of-sale (POS) system and thoroughly review all vulnerability areas. There will also need to be a priority list of actions needed to prevent attacks.

Once this assessment is complete, your business will then need to monitor and maintain any security protocols that have been implemented to reduce the risk of a breach.

PCI-DSS Level 1 businesses will also need to have quarterly network scanning undertaken by an Approved Scan Vendor (ASV) to remain compliant.

Do service providers have to follow PCI-DSS Level 1 requirements?

Many merchants will choose to work with service providers to process payments during a transaction – whether this is through providing internet services or acting as the receiving bank. The PCI-DSS compliance requirements for service providers differ slightly from the standards laid out for merchants.

Service providers meet the criteria for PCI-DSS Level 1 if they store, process, or transmit over 300,000 payment card transactions each year. If the service provider falls under this category, they will have to adhere to the following PCI-DSS Level 1 requirements:

  • An ROC prepared by a QSA
  • A quarterly network scan by an ASV
  • Regular penetration testing
  • Regular internal scanning

Why should my business be PCI-DSS Level 1 compliant?

There are plenty of benefits that come with being PCI-DSS Level 1 compliant. Not only will you appear more trustworthy to your clients and customers, but you’ll also save your business from costly fines and reputational damage that come from data breaches.

Your business will also have more leverage when it comes to negotiating with banks, who tend to be more willing to work with companies that are PCI-DSS compliant.

Compliance as you work with Hicomply

If your business is new to PCI-DSS compliance, the process can seem intimidating and extremely time-consuming – especially for Level 1 merchants and vendors. However, we at Hicomply are here to help streamline the process so your time can be spent on the things that truly matter – like running your business!

Hicomply offers a fully-fledged ISMS solution that keeps all of your documents in one place so you can achieve certification quickly and easily. Contact us for a demo today.