PCI DSS Level 1 And Impact on Merchants•

PCI DSS Level 1 And Impact on Merchants

See it in action
By Max Edwards | Updated 21 February 2024

PCI DSS Level 1 is the highest and most stringent of the four compliance levels, applicable to merchants processing over 6 million card transactions annually or those deemed high risk by card brands. It requires an annual on-site audit by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scan Vendor (ASV), ensuring the most comprehensive security measures are in place to protect cardholder data.

Jump to topic

PCI DSS and Its Impact on Level 1 Merchants

As a Level 1 merchant, you’re at the forefront of processing a significant volume of transactions, which places you squarely within the scope of the Payment Card Industry Data Security Standard (PCI DSS) 4.0. This latest iteration, released in March 2022, is not just a set of guidelines but a comprehensive framework designed to safeguard cardholder data against the ever-evolving threats in the digital landscape.

The Evolution of PCI DSS for Level 1 Merchants

PCI DSS 4.0 introduces nuanced changes that reflect the dynamic nature of cyber threats and the need for robust security measures. As a Level 1 merchant, handling over 6 million transactions annually, you’re required to adhere to the most stringent compliance requirements. These include a mandatory external audit by a Qualified Security Assessor (QSA) and the submission of a Report on Compliance (RoC).

The Critical Nature of Compliance

For you, compliance is not optional. It’s a mandatory step to not only protect your customers’ sensitive data but also to maintain your reputation and avoid potential fines and penalties. Non-compliance could lead to processing restrictions and even oversight by regulatory bodies like the Federal Trade Commission (FTC).

Enhancements in Data Security

PCI DSS 4.0 aims to fortify the security of cardholder data by introducing new control objectives and requirements. These are designed to be adaptable, allowing you to implement security measures that align with your specific business model and the types of transactions you process. Our platform, ISMS.online, is here to guide you through these changes, ensuring that your transition to compliance is as smooth and efficient as possible.

Book a demo

Classifying Level 1 Merchants

Understanding the classification criteria for Level 1 merchants under PCI DSS 4.0 is essential for ensuring compliance. As a Level 1 merchant, you are part of a group that processes over 6 million transactions annually. This high volume of transactions places you in the most stringent category for security standards and compliance measures.

Transaction Volume Thresholds

The primary criterion that defines a Level 1 merchant is the processing of more than 6 million transactions per year. This includes both credit and debit card transactions across all channels.

Influence of Transaction Volumes on Compliance

Your annual transaction volume directly determines your compliance obligations. As a Level 1 merchant, you are required to adhere to the most comprehensive set of security measures and undergo an annual external audit by a Qualified Security Assessor (QSA).

Exceptions and Special Considerations

Certain types of transactions may require special consideration, such as those processed outside of the traditional card-present environment. It’s important to consult with a QSA to understand if any exceptions apply to your specific situation.

Documentation for Verification

To verify your transaction volume, you must provide accurate processing data, typically sourced from your acquiring bank or payment processor. This documentation is crucial for validating your merchant level and must be kept up-to-date to reflect any changes in your transaction volume.

At ISMS.online, we understand the importance of maintaining precise records and offer solutions to help you manage and report your compliance status effectively.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Roadmap to Compliance – Steps for Level 1 Merchants

Embarking on the PCI DSS 4.0 compliance journey requires a structured approach, especially for Level 1 merchants who handle a significant volume of transactions. Our platform, ISMS.online, is designed to guide you through each step, ensuring that you understand and meet all necessary requirements.

Initiating the Compliance Process

The first step in your compliance journey is to acknowledge your status as a Level 1 merchant and understand the associated responsibilities. This involves a thorough review of PCI DSS 4.0 standards to identify the specific requirements applicable to your operations.

Determining Specific Compliance Requirements

To pinpoint your unique compliance needs under PCI DSS 4.0, you must assess your current security measures against the standard’s requirements. This assessment will highlight areas that need enhancement to meet the updated controls and protocols.

Engaging a Qualified Security Assessor (QSA)

A QSA plays a pivotal role in your compliance process. These professionals are certified by the PCI Security Standards Council to conduct assessments and validate your adherence to the standards. Engaging a QSA early can provide valuable insights and direction for achieving compliance.

Staying on Track for the Compliance Deadline

To ensure you meet the compliance deadline, it’s crucial to develop a timeline with milestones for implementing necessary changes. Regular check-ins with your QSA and utilising tools like ISMS.online can help you maintain progress and address any issues promptly.


Breakdown of PCI DSS Requirements

As a Level 1 merchant, you’re required to meet the most rigorous standards set by the PCI DSS 4.0. Our platform, ISMS.online, is here to help you understand and navigate these requirements effectively.

Core Control Objectives and Key Requirements

PCI DSS 4.0 is structured around six control objectives that encompass twelve key requirements. These are designed to protect cardholder data and maintain a secure network:

  1. Build and Maintain a Secure Network and Systems: Instal and maintain firewall configurations, and avoid vendor-supplied defaults for system passwords and other security parameters.
  2. Protect Cardholder Data: Protect stored cardholder data and encrypt transmission of cardholder data across open, public networks.
  3. Maintain a Vulnerability Management Programme: Protect all systems against malware and regularly update anti-virus software or programmes. Develop and maintain secure systems and applications.
  4. Implement Strong Access Control Measures: Restrict access to cardholder data by business need-to-know, identify and authenticate access to system components, and restrict physical access to cardholder data.
  5. Regularly Monitor and Test Networks: Track and monitor all access to network resources and cardholder data, and regularly test security systems and processes.
  6. Maintain an Information Security Policy: Maintain a policy that addresses information security for all personnel.

Application of Sub-Requirements

Each key requirement includes sub-requirements tailored to address specific security concerns. As a Level 1 merchant, you must ensure that all sub-requirements are met, which may involve implementing complex controls and conducting regular audits.

New and Enhanced Controls in PCI DSS 4.0

PCI DSS 4.0 introduces new controls and enhances existing ones to counter evolving threats. These include additional requirements for authentication, increased focus on encryption, and expanded expectations for monitoring and testing.

Prioritising and Implementing Requirements

To prioritise and implement these requirements effectively, you should conduct a gap analysis to identify areas needing improvement. Utilise our ISMS.online platform to manage and document your compliance efforts, ensuring that you address each requirement systematically and thoroughly.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Reporting and Validation

As a Level 1 merchant, you are subject to the most stringent reporting requirements under PCI DSS 4.0. Our role at ISMS.online is to ensure that you understand these obligations and assist you in meeting them with precision and confidence.

Specific Reporting Requirements

For Level 1 merchants, the reporting process is comprehensive:

  • Annual Report on Compliance (RoC): Conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA), the RoC is a detailed report documenting your compliance with all PCI DSS requirements.
  • Attestation of Compliance (AOC): This is a formal declaration of your compliance status, completed by the QSA or ISA who performed the RoC.

Distinctions Between RoC and AOC

Understanding the differences between these documents is crucial:

  • The RoC is an in-depth assessment, while the AOC serves as a summary certification of your compliance status.
  • The RoC provides a comprehensive review of your security controls, whereas the AOC is a verification form that accompanies the RoC.

Role of Approved Scanning Vendors

Approved Scanning Vendors (ASV) play a critical role in the validation process by conducting quarterly external vulnerability scans to ensure that your systems remain secure against external threats.

Compliance Report Submission Frequency

As a Level 1 merchant, you must:

  • Submit an annual RoC.
  • Complete quarterly ASV scans.
  • Maintain ongoing vigilance to ensure continuous compliance and security of cardholder data.

At ISMS.online, we provide the tools and support to help you manage these requirements effectively.


Security Assessments – Ensuring Ongoing Protection

For Level 1 merchants, conducting regular security assessments is not just a compliance requirement; it’s a critical component of your overarching security strategy. At ISMS.online, we emphasise the importance of these assessments in safeguarding cardholder data.

Mandatory Security Assessments

As a Level 1 merchant, you are required to undergo the following assessments:

  • Annual External Audits: Performed by a Qualified Security Assessor (QSA) to ensure comprehensive compliance with PCI DSS requirements.
  • Quarterly Network Scans: Conducted by an Approved Scanning Vendor (ASV) to identify vulnerabilities in your network that could be exploited by malicious actors.
  • Regular Penetration Tests: These tests simulate cyber attacks to evaluate the effectiveness of your security measures.

Frequency of Assessments

  • Network Scans: Must be performed quarterly.
  • Penetration Tests: Should be conducted at least annually and after any significant changes to your network or applications.

Qualifications for Service Providers

Service providers conducting these assessments must be certified by the PCI Security Standards Council. QSAs and ASVs have proven expertise in identifying and mitigating security risks in payment card environments.

Contribution to Security Posture

These assessments are integral to maintaining a robust security posture. They help you identify potential weaknesses before they can be exploited and ensure that your security controls are functioning effectively. By regularly evaluating your defences, you can adapt to new threats and protect your customers’ sensitive data.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Advanced Security Measures for Data Protection

For the purpose of PCI DSS 4.0, Level 1 merchants are expected to implement advanced security measures to safeguard cardholder data. At ISMS.online, we provide the necessary tools and guidance to ensure that your payment environments are secure and compliant.

Integrating Encryption, Tokenization, and Access Controls

To protect cardholder data, we recommend a multi-layered security approach:

  • Encryption: This transforms sensitive data into a coded format during transmission, making it unreadable to unauthorised parties.
  • Tokenization: It replaces sensitive data elements with non-sensitive equivalents, known as tokens, which have no exploitable value.
  • Access Controls: These ensure that only authorised individuals have access to sensitive data, based on their role and necessity.

These technologies work in tandem to create a robust defence against data breaches and unauthorised access.

Role of an Integrated Management System

An Integrated Management System (IMS) streamlines the implementation and management of these security measures. It provides a centralised framework for overseeing all aspects of your security posture, ensuring consistency and compliance.

ISMS.online: Your Partner in Security

Our platform, ISMS.online, assists you in deploying these advanced security measures. We offer:

  • Guided Certification: To help you understand and meet PCI DSS requirements.
  • Policy and Control Management: For establishing and enforcing security policies.
  • Risk Management Tools: To identify and mitigate potential security risks.

By leveraging ISMS.online, you can ensure that your security measures are effective, up-to-date, and aligned with PCI DSS 4.0 standards.


PCI DSS Merchant Level Table

PCI DSS Merchant LevelTransactions Per Year
PCI DSS Merchant Level 1Over 6 million
PCI DSS Merchant Level 2Between 1 to 6 million per year
PCI DSS Merchant Level 3Between 20,000 to 1 million per year
PCI DSS Merchant Level 4Fewer than 20,000 per year

Further Reading

Navigating the Consequences of Non-Compliance

Understanding the repercussions of failing to comply with PCI DSS 4.0 is crucial for Level 1 merchants. At ISMS.online, we stress the importance of adherence to these standards to avoid severe penalties and maintain your business’s integrity.

Potential Fines and Penalties

Non-compliance with PCI DSS 4.0 can result in substantial fines and penalties from payment card brands and acquiring banks. These can include:

  • Monetary fines that vary depending on the severity and duration of non-compliance.
  • Increased transaction fees or even termination of the ability to process payment card transactions.

Impact on Relationships with Payment Card Brands and Acquiring Banks

Failing to comply can strain your relationships with payment card brands and acquiring banks, leading to:

  • Rigorous monitoring and additional compliance verification requirements.
  • A potential loss of trust, which can affect your negotiating power and partnership terms.

Reputational Risks

Data breaches resulting from non-compliance can have long-lasting reputational damage:

  • Loss of customer trust and confidence, which can lead to a decline in sales.
  • Negative media coverage that can tarnish your brand image.

Mitigating Risks of Non-Compliance

To mitigate these risks, we recommend:

By taking these steps, you can safeguard your business against the consequences of non-compliance and maintain a secure and trustworthy payment environment.


Building a Culture of Security and Compliance

Creating a culture that values data security and PCI DSS compliance is fundamental for Level 1 merchants. At ISMS.online, we believe that fostering this culture is as crucial as implementing technical controls.

Essential Training and Awareness Programmes

To instil a strong security culture, comprehensive training programmes are essential:

  • Regular Training Sessions: Ensure all employees understand the importance of PCI DSS compliance and their role in maintaining it.
  • Awareness Campaigns: Use posters, newsletters, and regular updates to keep security at the forefront of employees’ minds.

Engaging Employees in PCI DSS Controls

Employee engagement is key to the effectiveness of your security measures:

  • Inclusive Policy Development: Involve employees in creating and reviewing security policies to increase buy-in and adherence.
  • Feedback Mechanisms: Encourage reporting of potential security issues and provide channels for employees to suggest improvements.

Strategies for Sustaining Security Culture

Maintaining a strong security culture requires ongoing effort:

  • Recognition Programmes: Acknowledge and reward compliance and security best practices among staff.
  • Continuous Learning: Offer opportunities for employees to update their knowledge on the latest security threats and prevention techniques.

By prioritising these strategies, you can ensure that your organisation not only meets PCI DSS requirements but also values and protects cardholder data as a matter of course.



ISMS.online Supports PCI DSS Compliance

At ISMS.online, we understand that navigating the PCI DSS 4.0 landscape can be daunting, especially for Level 1 merchants with extensive compliance obligations. Our platform is designed to provide you with tailored support throughout your compliance journey.

Partnering with Compliance Experts

By partnering with us, you benefit from:

  • Expert Guidance: Our team of compliance experts offers insights and advice specific to PCI DSS 4.0 requirements.
  • Streamlined Assessment: We simplify the assessment process, making it easier to identify and address compliance gaps.

Simplifying the Compliance Process

Our partnership aims to:

  • Reduce Complexity: We break down the compliance process into manageable steps.
  • Provide Integrated Tools: Our platform offers comprehensive tools for documentation management, risk assessment, and policy control.

Contact ISMS.online

Book a demo today.

Embarking on your PCI DSS 4.0 compliance journey with ISMS.online ensures a structured, supported, and efficient path to meeting and exceeding the standard's requirements.

Book a demo

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Streamline your workflow with our new Jira integration! Learn more here.