Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

What is PCI-DSS Level 2?

All businesses that store, process, or transmit payment card transactions are required to become PCI-DSS compliant. PCI-DSS compliance is a set of standards that your business will need to follow to ensure that your security systems are watertight to reduce the risk of any cyber-attacks or data breaches.

Depending on the size and scale of your business, you will fall under one of the four following PCI-DSS merchant levels:

  • Level 1 covers merchants that process over 6 million card transactions a year.
  • Level 2 covers merchants that process 1 million to 6 million transactions a year.
  • Level 3 covers merchants that process 20,000 to 1 million transactions a year.
  • Level 4 covers merchants that process fewer than 20,000 transactions a year.

Everything your business needs to know about adhering to PCI-DSS Level 2 requirements is explained below.

What is PCI-DSS Level 2?

If your business processes, stores, or transmits between one and six million card transactions per year, you would be classified as a PCI-DSS Level 2 merchant.

However. It’s worth acknowledging that different card providers have different conditions for businesses aiming to qualify as PCI-DSS Level 2 merchants. These are:

VISA, Mastercard, and Discover:

  • Merchants who process between 1 and 6 million transactions annually.
  • Service providers with fewer than 300,000 transactions annually.

American Express:

  • Merchants who process between 50,000 and 2.5 million transactions annually.
  • Service providers with fewer than 300,000 transactions annually.


  • Merchants with fewer than 1 million transactions annually.
  • Service providers with fewer than 300,000 transactions annually.

If your annual transactions were ever to exceed six million, you would need to follow PCI-DSS Level 1 requirements

How do merchants become PCI-DSS Level 2 compliant?

A business aiming for PCI-DSS Level 2 compliance should first complete PCI-DSS Self-Assessment Questionnaire (SAQ). This is a PCI Security Standards Council (SSC) approved form that asks a business to self-assess its current security measures and the strength of these.

If your business is on the verge of meeting PCI-DSS Level 1 requirements, you may also need to complete an Annual Report on Compliance (ROC) prepared by a Qualified Security Auditor (QSA). This is only the case if you are nearing the maximum of six million transactions annually.

During an ROC, your QSA will need to assess your point-of-sale (POS) system to review all potential vulnerabilities. This will result in a priority list of actions your business will need to take to ensure all security issues are tackled.

Following an ROC, you will need to continuously monitor and maintain any newly implemented security protocols to reduce the risk of a breach.

Your business will also need to have quarterly network scanning undertaken by an Approved Scan Vendor (ASV), as well as regular penetration testing and internal scanning, to remain PCI-DSS Level 2 compliant.

Do service providers have to follow PCI-DSS Level 2 requirements?

Service providers are often chosen by merchants to work as third-party payment processors during transactions. These usually either offer internet services or act ask the receiving bank. As they are also involved in handling vulnerable cardholder data, service providers must also ensure they are PCI-DSS compliant.

If a service provider stores, processes, or transmits fewer than 300,000 payment card transactions each year, they will have to follow the below PCI-DSS Level 2 requirements:

  • An annual SAQ
  • An ROC prepared by a QSA
  • A quarterly network scan by an ASV
  • Regular penetration testing
  • Regular internal scanning
  • An Attestation of Compliance Form

Why should my business be PCI-DSS Level 2 compliant?

It’s important to consider the benefits that being PCI-DSS Level 1 compliant offers. Your business will appear more trustworthy when negotiating with banks and stakeholders, who tend to actively seek out PCI-DSS compliance in partners. This will also reflect well on your clients and customers, who will ultimately have more confidence when making a transaction with your business.

Your cyber defence will also be strengthened overall thanks to the increased measures. This reduces the risk of data breaches significantly, which will save your business from having to recover from expensive fines and any reputational damage.

Become PCI-DSS Level 2 compliant with Hicomply

PCI-DSS compliance can be a long and arduous procedure, especially if your business is new to the process. This is why Hicomply is dedicated to helping businesses make compliance simpler than ever.

Our ISMS solution organises your documents, keeping them all in one place, so you can stay on top of everything with ease. If you’re looking for compliance as you work, contact us for a demo today.