What Do the PCI Levels Mean?
Published: Jun 30, 2014
Last Updated: Apr 23, 2025
PCI levels are categories that the PCI Security Standards Council (SCC) and card brands (VISA, MasterCard, American Express, Discover, and JCB) use to determine PCI compliance validation and reporting requirements for both merchants and service providers. The levels are numbered 1 through 4, with 1 at the highest level.
At level 1, merchants and service providers are required to engage an independent Qualified Security Assessor (QSA) to validate compliance with the PCI Data Security Standard (DSS).
Level 2 through level 4 merchants and service providers are permitted, but not required, to self-validate compliance with the DSS. They may also have a QSA validate compliance.
Ultimately, all entities that store, process, or transmit cardholder data are required to comply with all relevant PCI DSS requirements, regardless of transaction volume. Having a QSA validate compliance with the DSS provides confidence and assurance that the cardholder data environment (CDE) is securely controlled and that relevant requirements have been met.
About Eric Sampson
Eric Sampson is a Director at Schellman, where he helps lead the PCI practice and works with clients across industries including merchants, cloud and technology service providers, healthcare, eCommerce, and financial services. With over 20 years of experience, Eric has guided hundreds of client engagements in areas including PCI, SOC, WebTrust for Certification Authorities, HIPAA, Federal PKI, and agreed-upon procedures.