PCI DSS Level 4 And Impact on Merchants•

PCI DSS Level 4 And Impact on Merchants

See it in action
By Max Edwards | Updated 21 February 2024

PCI DSS Level 4 pertains to merchants processing fewer than 20,000 e-commerce transactions or up to 1 million transactions annually across all channels. These entities are required to complete an annual Self-Assessment Questionnaire (SAQ) and may also be subject to quarterly network scans by an Approved Scan Vendor (ASV), focusing on implementing essential security controls to protect cardholder data effectively.

Jump to topic

PCI DSS and Its Impact on Level 4 Merchants

The Payment Card Industry Data Security Standard (PCI DSS) serves as a benchmark for organisations that handle branded credit cards from the major card schemes. The foundational principles of PCI DSS 4.0 are designed to protect cardholder data by maintaining a secure environment. This latest version builds upon the robust framework established by its predecessors, enhancing cardholder data protection through advanced security measures and increased flexibility to adapt to the changing landscape of payment security.

Enhancements in PCI DSS 4.0

PCI DSS 4.0 introduces new methodologies for achieving security objectives, allowing for a more customised implementation of controls. This version emphasises the importance of continuous monitoring and the adoption of security as a business-as-usual practice. By doing so, it aims to ensure that security controls remain effective in the face of evolving threats and technologies.

Evolution of PCI DSS

Since its inception in 2004, PCI DSS has undergone several updates to address emerging threats and market needs. The evolution from version 1.0 to 4.0 reflects a shift towards a more dynamic and data-driven approach to security, with an increased focus on risk analysis and mitigation.

Alignment with ISMS.online

At ISMS.online, we understand the importance of a comprehensive approach to security. Our integrated management systems align with the principles of PCI DSS 4.0, offering a platform that supports the rapid deployment of security controls, guided certification, and robust policy and risk management tools. We provide a framework that not only helps you achieve compliance but also enhances your overall security posture, ensuring that you're well-equipped to protect sensitive cardholder information.

Book a demo

Defining Level 4 Merchant Compliance

Understanding your classification as a Level 4 merchant under the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 is crucial for compliance. As a Level 4 merchant, you are typically processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year. It’s essential to accurately count and report your transaction volumes, as they directly influence your classification and the specific compliance measures you must undertake.

Transaction Volume and Compliance Classification

Your transaction volume is a key determinant in your classification as a Level 4 merchant. This volume includes all payment channels, and it’s imperative that you include every transaction to ensure proper classification. Accurate reporting is not only a compliance requirement but also a strategic step in understanding the security measures you need to implement.

Security Obligations for Level 4 Merchants

As a Level 4 merchant, you are required to adhere to the same 12 PCI DSS requirements as larger merchants, although the validation and reporting processes may differ. These requirements range from maintaining a secure network to regularly monitoring and testing networks.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Navigating the Compliance Validation Process

For Level 4 merchants, validating compliance with PCI DSS 4.0 is a structured process that ensures the security of cardholder data. It’s imperative to understand the steps involved and the frequency of required actions to maintain compliance.

Steps for Validating PCI DSS Compliance

To validate compliance, you must first complete a Self-Assessment Questionnaire (SAQ) that corresponds to your payment processing methods. Following the SAQ, you’ll need to pass a vulnerability scan conducted by an Approved Scanning Vendor (ASV) if you are involved in e-commerce. These steps culminate in the submission of an Attestation of Compliance (AOC), a formal declaration of your adherence to the PCI DSS requirements.

Frequency of Compliance Scans and Assessments

Scans and assessments are not a one-time task. As a Level 4 merchant, you are required to perform quarterly network scans and an annual SAQ. Regular scans ensure ongoing vigilance against new vulnerabilities and threats.

The Attestation of Compliance and FTC Oversight

The AOC plays a pivotal role in the validation process, serving as evidence of your compliance. It’s essential for reporting to your acquiring bank and card brands. Additionally, oversight by the Federal Trade Commission (FTC) underscores the importance of compliance, as the FTC can impose penalties for lapses in protecting consumer data.

At ISMS.online, we provide the tools and guidance you need to navigate this process efficiently, ensuring that you meet all requirements and maintain the trust of your customers and partners.


Merchant Levels and Transaction Volumes

Determining your merchant level within the PCI DSS framework is a critical step in understanding your compliance obligations. Your level is defined by the number of transactions you process annually, which dictates the specific validation requirements you must fulfil.

PCI DSS Merchant Level Thresholds

PCI DSS 4.0 categorises merchants into four levels based on transaction volume:

  • Level 1: Over 6 million transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 3: 20,000 to 1 million e-commerce transactions annually
  • Level 4: Fewer than 20,000 e-commerce transactions annually or up to 1 million total transactions

Verifying Transaction Volume for Compliance

To verify your transaction volume, you must aggregate the total number of transactions over the past 52 weeks across all payment channels. This includes all card-present and card-not-present transactions, regardless of size or processing method.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

The Role of PCI Qualified Security Assessors

For the purpose of PCI DSS compliance, Qualified Security Assessors (QSAs) play a pivotal role, especially for Level 4 merchants who may not have extensive cybersecurity resources. QSAs are professionals certified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS.

Qualifications of a PCI Qualified Security Assessor

To become a QSA, individuals must possess a deep understanding of payment card security and the PCI DSS. They undergo rigorous training and must pass stringent exams to ensure they can competently guide merchants through the compliance process.

Contributions of QSAs to Level 4 Merchant Compliance

QSAs assist Level 4 merchants by assessing their payment card processing environments, identifying vulnerabilities, and recommending remediations. They ensure that all 12 PCI DSS requirements are met, from secure network maintenance to information security policy enforcement.

Significance of POS Device Approval

QSAs also play a crucial role in the approval of Point of Sale (POS) devices. They verify that these devices meet PCI standards for secure transactions, which is vital for protecting cardholder data against breaches.

Streamlining QSA Engagement with ISMS.online

At ISMS.online, we simplify the process of engaging with QSAs. Our platform provides a centralised location for documenting compliance efforts, managing risks, and demonstrating adherence to PCI DSS requirements. This organised approach facilitates efficient QSA assessments, ensuring that you can achieve and maintain compliance with confidence.


Leveraging PCI SSC Training and Resources

As a Level 4 merchant, staying informed and educated on PCI DSS requirements is vital. The PCI Security Standards Council (PCI SSC) offers a wealth of resources and training opportunities designed to support your compliance journey.

Training Opportunities for Compliance Officers

PCI SSC provides comprehensive training programmes for compliance officers, including official courses and certifications. These educational resources are tailored to help you understand the intricacies of PCI DSS and how to apply them effectively within your business.

Accessing PCI SSC Standards and Resources

You can access the latest PCI SSC standards and payment security resources through their official website. These documents are essential for staying up-to-date with the current security requirements and best practices in payment processing.

The Importance of Community Meetings and Webcasts

Community meetings and webcasts hosted by PCI SSC play a significant role in fostering a collaborative environment for sharing knowledge and experiences. They offer a platform for you to learn from industry experts and peers, ensuring you remain at the forefront of payment security.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Implementing the 12 PCI DSS Requirements

As a Level 4 merchant, you’re tasked with implementing the 12 PCI DSS requirements to safeguard cardholder data. These requirements form a robust framework for securing your payment environment.

The 12 PCI DSS Controls

The specific requirements outlined by PCI DSS are designed to protect cardholder data through a comprehensive set of controls:

  1. Instal and maintain firewall configurations to shield cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data through encryption and other protective measures.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software or programmes.
  6. Develop and maintain secure systems and applications by applying patches and updates.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access to track data access.
  9. Restrict physical access to cardholder data to prevent unauthorised access.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes to identify vulnerabilities.
  12. Maintain a policy that addresses information security for all personnel.

Collective Protection of Cardholder Data

These requirements, when implemented effectively, create a multi-layered defence strategy, ensuring that cardholder data is protected from unauthorised access and data breaches.

Challenges for Level 4 Merchants

Level 4 merchants may face challenges in implementing these requirements due to limited resources or cybersecurity expertise. However, compliance is not optional and is critical for maintaining customer trust and avoiding penalties.

ISMS.online’s Toolkit for Compliance

At ISMS.online, we provide a comprehensive toolkit to aid you in meeting these requirements. Our platform offers policy templates, risk management tools, and compliance checklists to simplify the process. With our guidance, you can ensure that each control is properly implemented, making compliance achievable and sustainable.


PCI DSS Merchant Level Table

PCI DSS Merchant LevelTransactions Per Year
PCI DSS Merchant Level 1Over 6 million
PCI DSS Merchant Level 2Between 1 to 6 million per year
PCI DSS Merchant Level 3Between 20,000 to 1 million per year
PCI DSS Merchant Level 4Fewer than 20,000 per year

Further Reading

Selecting the Appropriate Self-Assessment Questionnaire

Determining which Self-Assessment Questionnaire (SAQ) to complete is a critical step in your PCI DSS compliance journey. As a Level 4 merchant, the SAQ you select depends on your specific payment processing methods and the complexity of your payment card environment.

Factors Influencing SAQ Choice

Several factors influence the choice of SAQ for Level 4 merchants:

  • Payment Processing Methods: Whether you process transactions online, in-person, or both.
  • Cardholder Data Environment: The extent to which you interact with or store cardholder data.
  • Outsourcing: Whether you outsource card processing to third parties.

Variations in SAQ Complexity and Scope

SAQs vary in complexity and scope, tailored to different merchant environments:

  • SAQ A: For merchants who outsource all cardholder data functions.
  • SAQ B: For merchants using only imprint machines or standalone dial-out terminals.
  • SAQ C-VT: For merchants using virtual terminals on a single device.
  • SAQ C: For merchants with payment application systems connected to the internet.
  • SAQ D: For merchants not covered by the above SAQ types or with more complex environments.


Addressing Non-Compliance Penalties and Risks

Navigating the landscape of PCI DSS 4.0 compliance is critical for Level 4 merchants to avoid the severe penalties associated with non-compliance. Understanding these penalties and the measures to mitigate risks is essential for maintaining the integrity of your payment card operations.

Potential Penalties for Non-Compliance

Non-compliance with PCI DSS 4.0 can result in significant penalties:

  • Financial Penalties: Fines ranging from $5,000 to $100,000 per month until compliance is achieved.
  • Operational Penalties: Potential revocation of card processing privileges, impacting your ability to conduct business.

Mitigating the Risk of Non-Compliance

To mitigate these risks, you should:

  • Regularly Review Compliance Status: Stay informed about your compliance status through regular reviews and updates to security measures.
  • Implement Robust Security Practices: Adopt and maintain security best practices, including encryption and access control.

FTC Enforcement Actions

The Federal Trade Commission (FTC) can take enforcement actions against non-compliant merchants, which may include:

  • Investigations: Inquiries into the practices and compliance status of your business.
  • Legal Action: Civil penalties or orders to enforce compliance and protect consumer data.

ISMS.online’s Role in Avoiding Penalties

At ISMS.online, we provide a comprehensive platform to help you avoid non-compliance penalties. Our services include:

  • Guided Certification: Step-by-step assistance through the compliance process.
  • Risk Management Tools: Resources to identify and mitigate potential security risks.
  • Policy and Control Management: Systems to maintain and document compliance efforts.

By partnering with us, you can ensure that your business adheres to PCI DSS 4.0 standards, safeguarding against the repercussions of non-compliance.


Data Security and Advanced Technologies

Within the scope of data security, advanced technologies such as encryption and tokenization are not just beneficial but essential components of PCI DSS compliance. These technologies serve as critical layers of defence, safeguarding sensitive cardholder data against breaches and unauthorised access.

The Critical Role of Encryption and Tokenization

Encryption transforms cardholder data into a secure format that is unreadable without the proper decryption key, while tokenization replaces sensitive data with a unique identifier, or token, that has no exploitable value. Both methods are pivotal in protecting data both at rest and during transmission, significantly reducing the risk of data compromise.

Optimising Security Measures

To optimise your security measures:

  • Firewall Configurations: Ensure that your firewall configurations are robust, up-to-date, and properly maintained to protect against external threats.
  • Security Protocols: Regularly review and enhance security protocols to address new vulnerabilities as they arise.

Emerging Technologies in PCI DSS Compliance

Emerging technologies like cloud computing and mobile payments are reshaping PCI DSS compliance strategies. Staying abreast of these developments is crucial for maintaining a secure payment environment.


Preparing for PCI Audits and Assessments

As a Level 4 merchant, preparing for PCI audits and assessments is a critical component of your compliance strategy. Understanding the audit process and the differences between internal and external audits will help you navigate this requirement with confidence.

Understanding the PCI Audit Process for Level 4 Merchants

The PCI audit process for Level 4 merchants typically involves completing a Self-Assessment Questionnaire (SAQ) and undergoing a vulnerability scan if you are involved in e-commerce. Unlike Level 1 merchants, you are not required to have an on-site audit conducted by a Qualified Security Assessor (QSA), unless your acquirer or payment brand deems it necessary.

Distinguishing Between Internal and External Audit Requirements

Internal audits are conducted by your own staff who are familiar with your business processes and systems. These audits are more flexible and can be integrated into your regular business routines. External audits, when required, are more formal and are conducted by external QSAs or Approved Scanning Vendors (ASVs) to provide an objective assessment of your compliance status.

Essential Documentation for PCI Audits

For a successful PCI audit, you’ll need to compile and organise various documents, including:

  • Network diagrams
  • Security policies and procedures
  • Previous audit reports
  • Completed SAQs
  • Evidence of passed vulnerability scans

Leveraging ISMS.online for Audit Preparation

At ISMS.online, we offer document management features that streamline the preparation for PCI audits. Our platform allows you to securely store and organise all necessary documentation, making it readily accessible for both internal reviews and external assessments. With our support, you can ensure that your documentation is complete, up-to-date, and aligned with PCI DSS requirements, facilitating a smoother audit process.



ISMS.online and PCI DSS Compliance

Embarking on the journey to PCI DSS 4.0 compliance can be daunting, especially for Level 4 merchants with limited resources. At ISMS.online, we are committed to supporting you through every step of this process with tailored solutions that simplify and streamline your path to compliance.

Tailored Solutions for Level 4 Merchants

Our platform offers a suite of tools specifically designed to address the unique challenges faced by Level 4 merchants. From risk assessment modules to policy templates and control management systems, we provide the resources you need to meet the stringent requirements of PCI DSS 4.0.

Streamlining Your Compliance Process

Partnering with ISMS.online means gaining access to an integrated management system that aligns with the latest in security standards, including Annex L of ISO 27001:2022. Our platform facilitates a structured approach to compliance, enabling you to efficiently manage documentation, conduct risk analyses, and ensure that your security measures are up to date.

Ready to Secure Your Payment Processing?

If you're ready to take the next step in securing your payment processing and achieving PCI DSS 4.0 compliance, contact ISMS.online today. Our team of experts is here to provide you with the guidance and support necessary to protect your business and maintain the trust of your customers.

Book a demo

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Streamline your workflow with our new Jira integration! Learn more here.