What Is PCI & What Are the 4 PCI Compliance Levels?

If your organization handles credit card payments, complying with PCI DSS is non-negotiable. Yet according to Verizon’s 2024 Payment Security Report, only 14% of organizations maintain full PCI compliance.¹ Many business leaders still struggle to understand what PCI means, how it applies to their operations, and what’s required to stay compliant.

At TailWind, we help distributed enterprises meet compliance efforts across every location with managed IT services, cybersecurity solutions, and expert field support. Check out this guide to start navigating PCI compliance with confidence.

What Is PCI?

PCI stands for Payment Card Industry – specifically, it refers to the Payment Card Industry Data Security Standard, or PCI DSS. These standards protect cardholder data during and after a transaction, and any organization that handles credit card information is required to adhere to them.

PCI Meaning for Your Business

Complying with PCI DSS can help your business reduce the risk of threats like data breaches, fraud, and regulatory fines. Unfortunately, meeting the requirements isn’t always straightforward – especially for multi-location enterprises. That’s why TailWind helps clients align with compliance frameworks like PCI DSS by building security best practices into the networks we manage.

PCI DSS Meaning: What the Standard Covers

PCI DSS defines how organizations must secure their networks, devices, and data when handling payment card information.

[PCI DSS defines how to secure your IT systems when handling payment card information.]

What’s Included in PCI DSS?

PCI DSS covers 12 core security requirements organized into six control objectives:

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

If your business processes credit card payments – online or in-store – you’re responsible for ensuring that your environment complies with these requirements.

What is PCI DSS 4.0?

The latest version, PCI DSS 4.0, introduced important updates that reflect the changing security landscape. These updates provide more flexibility while raising the bar on what security measures organizations should implement, including robust authentication and encryption standards and continuous security monitoring rather than point-in-time checks.

At TailWind, we stay current with PCI DSS 4.0 and other evolving standards, so we’re always ready to help our clients align with new requirements and avoid compliance gaps.

What Is a PCI Assessment?

A PCI assessment is a formal evaluation that determines whether your business meets PCI DSS requirements. It typically includes:

• Network and system analysis to understand your complete environment.
• Security control verification to confirm controls are properly implemented and effective.
• Review of your policies, processes, and documentation to ensure they align with PCI requirements.
• Vulnerability scanning and pen testing to identify weaknesses before attackers can exploit them.

The format and scope of your PCI assessment depend on which PCI compliance level you fall into – which we’ll explain next.

[Not sure if your business is compliant with PCI DSS? TailWind can help.]

The 4 PCI Compliance Levels Explained

PCI compliance isn’t one-size-fits-all. The PCI DSS defines four compliance levels based on the number of transactions your business processes each year. Here’s a breakdown of these levels:

Level 1 PCI Compliance

Who it applies to:

• Merchants that process more than 6 million transactions per year
• Any merchant that has experienced a data breach in the past
• Global merchants identified as Level 1 by a credit card brand

Requirements:

• Annual on-site assessment by a Qualified Security Assessor (QSA)
• Quarterly network vulnerability scans
• Attestation of Compliance 

TailWind partners with Level 1 merchants to help manage the complex infrastructure, documentation, and security monitoring needed to meet this highest level of PCI compliance.

Level 2 PCI Compliance

Who it applies to:

• Merchants that process 1 to 6 million card transactions per year

Requirements:

• Annual Self-Assessment Questionnaire
• Quarterly network scans from an Approved Scanning Vendor (ASV)
• Attestation of Compliance

Level 2 still requires rigorous controls and formal documentation. If you’re unsure how to approach PCI assessment at this level, TailWind can help you streamline testing and remediation with proven IT practices.

[E-commerce platforms are especially vulnerable to security threats.]

Level 3 PCI Compliance

Who it applies to:

• Merchants that process 20 thousand to 1 million e-commerce transactions per year

Requirements:

• Self-Assessment Questionnaire
• Quarterly ASV scans
• Attestation of Compliance

E-commerce platforms are especially vulnerable to security threats, which is why Level 3 PCI compliance is focused on online transaction environments.

Level 4 PCI Compliance

Who it applies to:

• Merchants that process less than 20 thousand e-commerce transactions per year
• Merchants that process up to 1 million total transactions annually via all channels

Requirements:

• Self-Assessment Questionnaire, determined by your acquiring bank
• Vulnerability scans, depending on your specific situation

Even though Level 4 PCI compliance has the least stringent requirements, small businesses are not immune to security risks. TailWind works with SMBs and franchise locations to secure networks and simplify compliance without overburdening your internal teams.

What’s the Cost of Failing to Comply With PCI DSS 4.0?

The penalties for PCI DSS non-compliance vary from payment processor to payment processor, so it can be difficult to pin down exact fines. However, fines compound for each month a business fails to comply, and the per-month charge increases for longer periods. 

For example, a business might pay $5,000 per month if it’s out of compliance for three months. But if they’re still non-compliant after seven months, they could pay $50,000 per month. In some cases, some processors have imposed fines ranging from $50 to $90 for each customer affected by a data breach.²

[PCI DSS non-compliance fines range from $50-$90 for each customer affected by a breach.]

These aren’t “fines” in the same sense that you’d pay for violating a government regulation; they’re penalties built into the contract between merchants, payment processors, and credit card brands. So if your business is found to be non-compliant, the card brands could fine your payment processors, who then fine you as the merchant.

Get Expert PCI DSS Compliance Support From TailWind

No matter which of the PCI compliance levels you fall into, maintaining security isn’t a one-time event. Ongoing efforts should include:

• Monitoring and logging system activity
• Keeping software and firmware up to date
• Compliance audits from a trusted provider
• Securing remote access
• Training employees on security best practices
• Regularly reviewing your compliance posture

TailWind helps multi-site businesses simplify these compliance needs with centralized security frameworks, proactive monitoring, and IT services built to scale. Whether you're navigating your first PCI assessment or aligning with new PCI DSS 4.0 requirements, our managed network and field services teams are here to keep your infrastructure secure and compliant.

Book a meeting with our team today to learn more about how we can support your PCI compliance goals with scalable network solutions and expert guidance.

Sources:

1. https://www.verizon.com/business/resources/T797/reports/2024-payment-security-report.pdf
2. https://www.csoonline.com/article/569591/pci-dss-explained-requirements-fines-and-steps-to-compliance.html