What is PCI DSS level 1? A complete guide for merchants and service providers

As a Level 1 merchant handling over 6 million transactions annually (over 300,000 if you’re a service provider), you face a different compliance reality than most.

You have to get a large majority of controls right, prove your defenses under rigorous annual QSA audits and quarterly scans, and stop breaches before they happen — all while keeping your payment infrastructure and operations working without interruption.

This guide breaks down exactly what to do if you’re classified as PCI DSS (Payment Card Industry Data Security Standard) Level 1, what QSAs expect, and how to stay compliant without slowing down your operations.

Who needs PCI DSS level 1, and what does it take to get there?

PCI DSS level 1 is defined differently by each of the five major card brands (Visa, Mastercard, Discover, American Express, and JCB). Understanding exactly which criteria apply to your business is critical, because you're automatically classified at the highest level required by any card brand you accept.

This means if you process 1.5 million JCB transactions annually, you're Level 1 for JCB—and therefore Level 1 overall, even if your Visa volume is far lower.

Why Level 1 exists: The ripple effect of large-scale breaches

When you process millions of transactions or serve hundreds of merchants as a service provider, a single breach doesn't just affect your business—it cascades across the entire payment ecosystem. Compromised card data leads to:

• Mass card reissuance by issuing banks (costing $5-10 per card)

• Fraudulent transactions that trigger chargebacks and investigations

• Consumer distrust that impacts card usage industry-wide

• Regulatory scrutiny that affects all participants in the payment chain

That's why Level 1 requirements are so stringent. The stakes aren't just your business's survival—they're the integrity of the global payment infrastructure.

When merchants must meet Level 1 requirements

Here's how each card brand determines Level 1 classification:

Visa Level 1 Merchants

You must meet Level 1 requirements if any of the following conditions apply:

• Processes 6 million or more Visa transactions annually (across all channels—card-present, card-not-present, and e-commerce)

• Experiences a data breach or security attack that results in the compromise of Visa account data

• Is determined to be Level 1 by Visa at their sole discretion, based on risk factors or other security considerations

Mastercard Level 1 Merchants

You must meet Level 1 requirements if any of the following conditions apply:

• Processes 6 million or more total combined Mastercard and Maestro transactions annually

• Suffers a security incident that compromises Mastercard or Maestro cardholder data

• Is determined by Mastercard to meet Level 1 requirements in Mastercard's sole discretion to minimize risk to the payment system

• Meets Level 1 criteria for Visa (Mastercard aligns with Visa's Level 1 determination)

Discover Level 1 Merchants

You must meet Level 1 requirements if any of the following conditions apply:

• Processes 6 million or more Discover transactions annually on the Discover network

• Suffers a data security breach that results in the actual or suspected compromise of Discover cardholder data

• Is designated as Level 1 by another card brand (e.g., Visa, Mastercard, American Express, or JCB)

• Is determined to be Level 1 by Discover at Discover's sole discretion

American Express Level 1 Merchants

You must meet Level 1 requirements if either of the following conditions apply:

• Processes 2.5 million or more American Express transactions annually

• Experiences a data breach that impacts American Express cardholder data

Note: American Express has a significantly lower transaction threshold than Visa, Mastercard, and Discover, meaning many merchants reach Level 1 status through their American Express volume alone.

JCB Level 1 Merchants

You must meet Level 1 requirements if either of the following conditions apply:

• Processes 1 million or more JCB transactions annually

• Experiences a security breach involving JCB cardholder data

Note: JCB has the lowest transaction threshold of all card brands and only recognizes two merchant levels (Level 1 and Level 2), making it easier for merchants to cross into Level 1 territory.

How to achieve PCI DSS Level 1?

1. Define your PCI DSS scope

Before you can prove compliance, you need to know exactly what you're protecting. 

You must identify every component, person, and process that stores, processes, or transmits cardholder data. This includes your Cardholder Data Environment (CDE)—the complete network of payment systems, databases, applications, and connected infrastructure that touches card data.

This matters for Level 1 because if you set your scope wrong, and you're facing one of two costly scenarios:

• Under-scope: Miss systems that handle card data, leaving gaps that auditors will flag and attackers will exploit.
• Over-scope: Include unnecessary systems in your compliance program, inflating costs and audit timelines by 30-50%.

2. Annual on-site audit by a QSA

The assessor validates all 12 PCI DSS requirements through interviews, configuration reviews, and control testing. This comprehensive process results in a Report on Compliance (ROC), which serves as official proof of your adherence to the standard. Think network security, access controls, encryption, monitoring—the full stack.

2. Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV)

These scans probe your public-facing systems and apps to identify exploitable weaknesses before malicious actors do.

3. Annual (and post-significant infrastructure changes) penetration tests

Skilled ethical hackers simulate real-world attacks on networks and apps, uncovering gaps that automated tools might miss.

4. Internal vulnerability scans

You verify internal segmentation and ensure cardholder data isn’t exposed within your network. Internal vulnerability scans are required at least quarterly and after significant changes—not just as a one-time verification step.

5. Attestation of Compliance (AOC)

A formal sign-off—by both you and your QSA—that every requirement is in place and effective. The ROC, along with the AOC, must be submitted to your acquiring bank and the relevant card brands as part of your annual PCI DSS Level 1 obligations.

By satisfying these requirements, you prove to customers, partners, and regulators that your security controls not only exist on paper but operate effectively under real-world conditions. Falling short at any point isn’t merely a failed audit; it puts your entire payment ecosystem at risk.

Why PCI DSS level 1 compliance matters to your business

PCI DSS Level 1 compliance isn’t just a checkbox—it’s a strategic advantage that directly impacts your bottom line, operations, and brand reputation.

Avoid costly fines and penalties

Non-compliance can cost up to $100,000/month in card brand fines—often passed down by your acquiring bank. But the financial damage doesn't stop there. 

A breach or compliance failure triggers a cascade of expenses: mandatory forensic investigations (typically $50,000-$500,000+), card replacement costs for affected customers, and increased transaction fees from acquirers who now view you as high-risk. 

Combined, these costs can easily exceed millions before you've even addressed the root cause. Staying audit-ready means no fire drills, no surprises.

Protect your brand—and customer trust

A single breach involving millions of card records can lead to class-action lawsuits, lost customers, and long-term reputational damage. Level 1 controls minimize attack surfaces and catch threats early.

Streamline enterprise partnerships

Major retailers and payment processors often require PCI DSS Level 1 certification before signing contracts. Holding this certification signals maturity and opens new revenue channels.

Lower insurance premiums

Demonstrated compliance with a gold-standard framework shows cyberinsurance providers you take security seriously, which might result in lower premiums and in better coverage.

Enhance operational efficiency

Rigorous control frameworks and continuous monitoring uncover inefficiencies in your infrastructure and processes. The result? Better resource allocation and faster incident response.

Stay on the right side of privacy laws

If an incident occurs, documented compliance efforts show regulators and courts that you took reasonable steps to protect customer data. This way, you can strengthen your legal defense and potentially reduce liability. 

Keep your payment processing rights intact

For most businesses, this is an existential threat: no payment processing means no revenue. Non-compliance can also result in losing your ability to process card payments altogether. 

Acquiring banks and card brands can revoke your merchant account or payment processing privileges if you fail to meet PCI DSS Level 1 requirements. 

Maintaining compliance ensures uninterrupted business operations and preserves your fundamental ability to accept customer payments.

PCI DSS level 1 for merchants vs. service providers

Merchants and service providers both face PCI DSS Level 1 validation, but how those controls apply can look very different in practice. Here’s how the requirements break down by role:

Common challenges on the road to PCI DSS level 1 compliance

Even experienced security teams feel the pressure during  Level 1 audits. PCI DSS Level 1 compliance isn’t just about having controls in place—it’s about proving they work, continuously. Here’s where teams often get stuck: 

1. Manual evidence collection

‍Gathering logs, screenshots, and configuration files from dozens of systems regularly can consume hundreds of staff hours. When teams juggle spreadsheets, email attachments, and disparate ticketing systems, they risk missing deadlines or submitting incomplete evidence—triggering audit findings and costly rework.

2. Keeping up with continuous monitoring

‍It’s not enough to show your controls worked once. Level 1 demands proof that they work continuously. Without automated alerts and dashboards, teams scramble to prove that firewall rules, access controls, and encryption settings haven’t drifted since the last audit.

3. Coordinating between teams and QSAs

‍QSAs expect fast answers and real-time evidence. If your network, development, and compliance teams aren’t closely in sync, auditors waste time chasing down clarifications. This causes delays and inflates QSA fees.

4. Hybrid and multi-cloud complexity

‍Modern environments span AWS, Azure, Google Cloud Platform, on-premises servers, and third-party services. Applying PCI DSS controls evenly across all of them is tough—leading to scope creep, missed systems, and segmentation gaps that trigger audit issues.

5. Unpredictable costs

‍QSA engagement fees, ASV scanning licenses, penetration-test retests, and staff overtime—it adds up fast. And when remediation gets rushed in the final audit sprint, costs climb and team morale dips.

Automating PCI DSS level 1 compliance with Scrut

Scrut’s compliance automation platform helps you cut through complexity and get audit-ready faster. Here's how we simplify every step of your PCI DSS Level 1 journey:

Pre-built PCI DSS control frameworks, ready to go

Don’t waste weeks translating 300+ PCI DSS testing procedures across its 12 requirements into policies. Scrut gives you 50+ pre-built, expert-vetted policies mapped directly to PCI DSS controls. Customize them using Scrut’s editor to fit your workflows—no copy-pasting needed.

Continuous control monitoring

Scrut helps you validate your compliance in real time through automated checks against all mapped policies in the platform. The platform can notify your team immediately when a control is adrift—say, if firewall rules change or unsupported protocols appear—so you fix issues before they become audit findings.

Automated evidence collection

Maintaining logs, configurations, tickets, and code artifacts is a core PCI requirement. Scrut’s native integrations with AWS, Azure, GCP, GitHub, Jira, ServiceNow, and 70+ other systems continuously pull the exact data points tied to each control. Whenever a firewall rule changes or a vulnerability ticket closes, Scrut ingests the proof and attaches it automatically, ensuring you never miss evidence for quarterly scans or your annual ROC.

Centralized dashboard for real‑time status tracking

Scrut helps you monitor your compliance posture, risk profiles, vulnerability findings, and vendor assessments—all in one place. The platform has dashboards that update in real time, ensuring stakeholders always have the latest insights and are in sync all the time.

Built-in QSA audit workspace 

Scrut creates a shared workspace for real-time collaboration with your QSA, granting audited access to evidence, clarifying findings, and closing gaps faster, with full transparency. All evidence is organized by control and visible in a centralized compliance dashboard, giving auditors and executives instant insight into your PCI DSS posture. When it’s time for the on-site assessment, your QSA can log into Scrut to review artifacts, leave comments, and sign off on controls—cutting audit timelines from weeks to hours.

Need to meet PCI DSS Level 1? Scrut automates the heavy lifting—so your team can stay focused on security, not spreadsheets. Schedule a demo with Scrut today.

FAQ

‍1. What is PCI Compliance Level 1?

‍It’s the highest level of PCI compliance, required for organizations processing over six million card transactions annually (for merchants), and over 300,000 card transactions annually (for service providers), as well as those that have had a data breach. It involves a rigorous annual on-site audit by a Qualified Security Assessor (QSA) and quarterly network scans to ensure strong cardholder data protection.

2. What is the difference between PCI Level 1 and Level 2?

‍It comes down to transaction volume and how compliance is validated:

• Level 1: For entities processing over six million transactions per year. Requires an annual QSA on-site audit and quarterly scans.
  
  
• Level 2: For those processing between one and six million transactions annually. Merchants will either conduct an annual self-assessment questionnaire (SAQ) or undergo a QSA on-site assessment if requested by the card brand or acquiring bank.

3. What is Level 1 data on Mastercard?

‍For Mastercard, Level 1 data includes the basic transaction details needed for standard processing—like the transaction amount, date, and merchant information. Unlike Level 2 or 3 data, it doesn’t include extras like tax breakdowns or item descriptions.

4. What is a PCI DSS Certified Level 1 Service Provider?

‍A PCI DSS Certified Level 1 Service Provider is a third-party organization that processes, stores, or transmits cardholder data on behalf of merchants and has achieved the highest level of PCI compliance. This certification involves an annual on-site assessment by a QSA. It shows they meet the strictest PCI DSS standards and can be trusted with sensitive payment information.