PCI Level 1
What Is PCI Level 1? Definition and How It Works
Definition
PCI Level 1 is the highest tier of PCI DSS compliance, applying to merchants or service providers that process over 6 million card transactions annually, requiring an annual on-site security assessment by a qualified third-party assessor and a formal Report on Compliance.
How it works
PCI compliance levels are determined by transaction volume processed across all channels combined within a single card brand per year. Level 1 applies when a merchant processes more than 6 million Visa or Mastercard transactions annually, or when a merchant has experienced a data breach that resulted in account data compromise, regardless of volume.
Level 1 merchants must complete an annual Report on Compliance (ROC), an on-site assessment conducted by a Qualified Security Assessor (QSA), a company certified by the PCI SSC to conduct formal PCI assessments. The ROC documents the assessor's findings against all 12 PCI DSS requirement areas and confirms whether the merchant is compliant. The ROC is submitted to the merchant's acquirer.
In addition to the annual ROC, Level 1 merchants must pass quarterly network vulnerability scans conducted by an Approved Scanning Vendor (ASV), maintain an incident response plan, and demonstrate continuous compliance with all 12 PCI DSS requirements between assessments.
Service providers, entities that store, process, or transmit cardholder data on behalf of merchants, have their own Level 1 threshold: service providers handling more than 300,000 transactions annually are typically Level 1. Service providers with Level 1 certification publish an Attestation of Compliance (AOC) that merchants can use to verify their provider's compliance status.
Why it matters
Level 1 certification as a service provider shifts compliance burden from merchants: merchants using a PCI Level 1 certified payment provider for card data handling can reference the provider's AOC in their own assessment and exclude the provider's systems from their scope. This is the primary compliance benefit merchants gain from using a certified provider.
QSA costs are significant: Level 1 assessments conducted by qualified QSA firms typically cost $50,000 to $200,000 or more depending on the complexity of the cardholder data environment. This cost must be planned for annually as part of the compliance budget.
ROC findings have a formal remediation process: if the QSA identifies deficiencies during the assessment, the merchant has a period to remediate before the ROC can be finalised. Findings that remain unresolved at the ROC submission deadline must be documented as exceptions, which creates acquirer and network scrutiny.
Level 1 maintains continuous pressure: unlike lower-level SAQ compliance, Level 1 assessments are conducted by external assessors who review evidence of continuous compliance throughout the year, not just a snapshot at assessment time. Evidence of compliance gaps during the year, missed vulnerability scans, access control lapses, unpatched systems, will surface in the assessment.
With PXP
PXP maintains PCI DSS Level 1 certification as a service provider, assessed annually by an independent QSA. Merchants using PXP's platform for card data handling can reference PXP's AOC to exclude PXP's processing infrastructure from their own PCI scope. PXP's current AOC is available upon request.
Frequently asked questions
What transaction volume triggers PCI Level 1 for merchants?
A merchant reaches PCI Level 1 when they process more than 6 million transactions annually across all channels for a single card brand (Visa or Mastercard counted separately). A merchant who processes 5 million Visa transactions and 5 million Mastercard transactions is Level 2 for each brand unless either brand's total exceeds 6 million. Volume thresholds are assessed per brand, not combined.
What is a QSA and how do merchants find one?
A Qualified Security Assessor (QSA) is a company that has been certified by the PCI SSC to conduct formal PCI DSS assessments (ROC engagements). The PCI SSC maintains a public directory of approved QSA companies on its website (pcisecuritystandards.org). Merchants requiring Level 1 assessment should select a QSA with experience in their industry and payment environment, not all QSAs have equal experience with all merchant types.
What is an Attestation of Compliance (AOC) and how is it used?
An AOC is the formal document signed by a merchant or service provider and their QSA confirming that the assessed entity has completed a PCI DSS assessment and is compliant as of the assessment date. Merchants submit their AOC to their acquirer as proof of Level 1 compliance. When assessing service provider compliance, merchants should request the service provider's AOC and verify it is current and covers the relevant services.
How does PCI Level 1 certification from a payment provider benefit merchants?
A payment provider with PCI Level 1 certification as a service provider has been independently assessed and confirmed compliant across all 12 PCI DSS requirement areas. Merchants using that provider for card data handling can exclude the provider's systems from their own PCI scope, reducing the scope of their own assessment. The merchant's assessment then covers only their own systems that interact with the provider's compliant infrastructure.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started