If you work in retail or payment processing, you may already know about PCI DSS. However, you may not know of the details about compliance and transaction processing. For example, did you know that the size of your business and the number of transactions you process actually change how you comply with PCI DSS?
Here, we’ll break down the merchant levels in place to address this difference and how it could impact you as an organization facing PCI DSS requirements.
What Are the PCI DSS Merchant Levels?
PCI DSS is an industry-specific set of regulations put in place by credit card providers (Visa, Mastercard, American Express) to control security and privacy controls for payment processors. While general federal, state and local laws provide a penal framework for acts like theft and fraud, PCI DSS imposes actual technical controls on companies to minimize and mitigate fraud before it happens.
Not all companies are created equal, however, and PCI DSS assumes that there are more significant threats for larger businesses rather than smaller ones.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
In addition to these requirements, regulations impose additional responsibilities on different merchants based on their size and the volume of transactions they process. These include:
- Merchant Level 1: Any merchant that processes over 6 million transactions per year.
- Merchant Level 2: Any merchant that processes between 1 a 6 million transactions per year.
- Merchant Level 3: Any merchant that processes between 20,000 and 1 million transactions per year.
- Merchant Level 4: Any company that processes less than 20,000 transactions per year.
Levels 2, 3 and 4 our somewhat similar, in that they are required to complete a Self-Assessment Questionnaire (SAQ). A SAQ essentially amounts to a self-assessment of PCI-approved controls to demonstrate compliance. Level 1, however, requires an annual, external assessment of a certified PCI DSS auditor such as a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) resulting in a Report of Compliance (ROC) demonstrating adherence.
Level 2, alternatively and with approval, can undergo an external assessment towards the completion of a ROC. These organizations must also undergo mandatory audits if they choose to use specific versions of the SAQ that are deemed insufficient for compliance (SAQ A, SAQ A-EP or SAQ D).
Finally, and merchant can voluntarily undergo assessment to complete a ROC rather than complete a SAQ.
Why Is PCI Compliance Important for Merchants?
Compliance may seem like just another hoop to jump through for your organization. PCI compliance, however, is exceedingly important for the safety of your business and your customers. Some of the critical areas that PCI helps serve are:
- Customer Privacy: Customers, when paying for services either through a POS or online, expect that their information remain private and secure. If you cannot provide that, then you damage not only your brand reputation but the well-being of paying customers.
- Fraud Prevention: Fraud has skyrocketed, both before, but especially during COVID. Proper PCI controls, while not 100% preventative, go a long way towards preventing fraud. Don’t forget that fraud impacts your bottom line as much as the account of a customer.
- Chargeback Prevention: Chargebacks are when a customer disputes a charge and receives a refund (and you lose money along with merchant standing). While most chargebacks result from fraud, many consumers have discovered how easy it is to dispute charges falsely to avoid paying for goods. Following that, adhering to PCI DSS controls can help you maintain the security and documentation necessary to stop chargebacks.
- Reduce Costs: Fraud and theft cost everyone: you, the card network, you’re acquiring bank, the lending bank and the customer. IF you don’t handle PCI DSS compliance properly, you’re opening you and a whole network of people to unnecessary costs.
Lazarus Alliance Can Help with PCI DSS Auditing
Even if you are a merchant that exists at levels 3 or 4, the truth is that security auditing and maintenance are critical to your organization. Whether you are completing a SAQ or undergoing an audit, it’s crucial that you work with experts that can help you have not just compliant security, but the best security you can have based on your regulations and risk profile.
Lazarus Alliance brings decades of experience, automation and exposure to major compliance frameworks to make auditing simple and easy for you. This way, you can trust that your security works, that you are compliant and that you can focus on the work of building your business and serving customers.
Interested in Learning More About Lazarus Alliance PCI DSS Compliance Audit Services?
Call us at 1-888-896-7580 or fill our this form to learn more on our compliance and risk consulting and auditing services.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts