What is a Level 1 PCI Compliant Processor?

May 10, 2025

As a business owner, you probably know that PCI compliance is required for all businesses that accept credit cards. But if your credit card processor is PCI compliant, does that mean they handle it for you? In short, no, though it is still beneficial for you.

What does it mean if a credit card processor is PCI Level 1 compliant?

Firstly, let’s talk about the levels. For businesses like retailers and restaurants, there are 4 levels of PCI compliance, determined primarily by the number of transactions that business processes each month. For service providers, such as credit card processors, there are only 2. Mastercard includes a chart on its website listing examples of the service providers that it applies to. Those levels are still determined largely by the number of transactions, but the thresholds are different than they are for the average business. Typically each card brand refers to the threshold for just transactions for that brand, not cumulatively. Meaning, if Mastercard states Level 1 is for 300,000 transactions per year or more, they mean 300,000 Mastercard transactions, not a combination of Mastercard and Visa. With that in mind, the thresholds are currently as follows:

Level 1: service providers that process at least 300,000 transactions per year
Level 2: service providers that process fewer than 300,000 transactions per year

So when your credit card processor states they are Level 1 PCI compliant, it means that they process at least 300,000 transactions per year, have been audited as a service provider, and compliant with PCI standards. Most, if not all, of the actual requirements related to security are the same for both levels, but the validation requirements vary. Specifically, Level 1 processors must have their processes and systems audited by Qualified Security Assessors (QSAs) to ensure they meet PCI requirements. Level 2 processors can submit a Self-Assessment Questionnaire (SAQ) instead. Level 1 and Level 2 service providers must perform ongoing maintenance as well, such as quarterly network scans. It’s also worth noting that a Level 2 service provider according to its transaction volume can optionally choose to get validated as a Level 1 service provider and use a QSA for validation. In short, a Level 1 PCI compliant processor has been determined to have secure systems for transmitting, storing, and processing credit card information.

Does that mean I don’t have to worry about PCI compliance at my business?

Unfortunately no. Your processor being PCI compliant is a critical step toward secure card transactions, but it does not absolve you of the responsibilities for your business when it comes to PCI standards. PCI compliance only applies to the business or service provider that was validated. You don’t get the benefit of their compliance simply by working with them as a customer. You’re still responsible for ensuring that you use secure systems for handling credit card information and that your staff is properly trained when it comes to security and card data. Your specific processes and methods will affect how you achieve and maintain PCI compliance. You can greatly limit your scope by using approved third-party vendors and minimizing your actual exposure to card data. For example, you’ll have higher required security and PCI involvement if you store credit card data, even if it’s just temporary. Stored data must be encrypted and access-controlled to roles that need access for specific business purposes. However, going back to the comment about using approved third-party vendors… If you use a secure card storage vault hosted by your credit card processor or gateway provider, they assume more of the responsibility for securing the data. The same is true for POS systems and online shopping carts. If you can purchase existing approved tools as opposed to paying someone to develop a new app or program it for you, you’ll reduce your PCI compliance scope. Of course, there are some situations where it can’t be avoided. For example, if you take phone orders and customers pay by providing their card number so your staff can enter it into a virtual terminal, there’s no way to instead have a third party tool collect that data. However, you should still work to find the most secure methods, such as using virtual terminals securely developed by and provided by your processing company.

Are all processors PCI compliant?

They should be, but newer or smaller processors may not have validated their compliance. Be careful if you come across processors that are not PCI compliant, as it increases your risk of security issues. Additionally, it may present complications for your own PCI compliance, since you’ll need to list the third-party service providers you use. Many processors state right on their website that they are PCI compliant, but if you don’t see that, feel free to ask. There’s no reason a processor should be concerned about your request for information on their compliance. There are many compliant processors, so it’s worth the extra time to check into your options. Optionally, you can get a free CardFellow.com account to get private quotes from multiple PCI compliant processors in one location, without having to call around individually.

Your PCI Compliance Responsibility

Most small businesses will need to complete a Self-Assessment Questionnaire (SAQ) to validate PCI compliance. There are several versions, and which one you need depends primarily on how you take and handle card information. Check out Help with PCI Self-Assessment Questionnaire for more info. For all SAQs, you’ll fill out the information yourself, but will need to include details on your processor’s involvement in your business. (In fact, you’ll need to include all third-party service providers.) For example, the PCI standards include requirements for encryption of card data. Your processor likely handles this for you, which you’ll need to confirm with them and then state that they are responsible for that PCI requirement. In some cases, you may be asked to include proof that your processor and other service providers are compliant themselves, such as by providing their Attestation of Compliance (AOC.) The PCI security standards council includes a guide on their website called Questions to Ask Your Vendors. In it, one thing they suggest is asking for their Attestation of Compliance and whether it applies to the service(s) you’ll be using them for. It can be handy to keep a copy of the AOC on file in case you get asked for it in the future as part of your own PCI SAQ. At the end of the day, working with a PCI compliant processor doesn’t absolve you from your own PCI responsibilities, but it can reduce your burden. If your processor handles many of the technical security aspects, such as encryption and tokenization, as well as hosting payment pages, you’ll have an easier time filling out your SAQ and listing those requirements as handled by your processor. You may even be able to use one of the more simple, streamlined SAQs. Whether it’s a Level 1 or Level 2 PCI compliant credit card processor, it will make everything easier and more secure for your business.

Ben Dwyer

Ben Dwyer began his career in the processing industry in 2003 on the sales floor for a Connecticut‐based processor. As he learned more about the inner‐workings of the industry, rampant unethical practices, and lack of assistance available to businesses, he cut ties with his employer and started a blog where he could post accurate information about credit card processing. As the blog gained in popularity, Ben began directly assisting merchants in their search for a processor. Ben believes in empowering businesses by providing access to fair, competitive pricing, accurate information, and continued support. His dedication to transparency and education has made CardFellow a staunch small business advocate in the credit card processing industry.