Skip to main content

Merchant PCI Compliance

Merchant PCI Compliance

Last updated: 29-Feb-2024
Rate this article:

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards designed to ensure that ALL companies that accept, process, store or transmit credit/debit card information and/or sensitive authentication data maintain a secure environment and customers and their data are protected no matter where they shop and what channel they use.

Most small merchants can use a self-validation tool to assess their level of cardholder data security.

The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council (PCI SSC) (, an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). The payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

To whom does the PCI DSS apply?

The PCI DSS applies only to merchants that want to place orders via credit cards. All other payment methods available via API do not fall under PCI DSS compliance.

The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, processes, transmits or stores any cardholder data. Using a third-party payment processor does not exclude a company from PCI DSS compliance. However, it does lower their risk exposure and consequently reduces the effort to validate compliance. There are four merchant levels (SAQ-A, SAQ-B, SAQ-C, SAQ-D) based on the number of transactions/card schemes (VISA, MasterCard)/most recent 12-month period.

Are there any penalties for non-compliance?

Yes, there are. The payment card brands may, at their discretion, fine an acquiring bank up to $500,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. But more devastating than fines, credit card companies can also revoke the right of a merchant to process credit card transactions, providing a “virtual death sentence” for many companies.

What do 2Checkout merchants need to do to be compliant?

To be PCI compliant, merchants need to submit self-assessment questionnaires (SAQs) based on their business environment and implementation type.

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended to meet the needs of particular types of environments. 

In which category do 2Checkout merchants fall in?

Based on the type of integration and the overall number of transactions forecasted for a 12-month period, 2Checkout merchants need the following PCI compliance level:



Required SAQ

Hosted shopping cart Hosted Cart SAQ-A
ConvertPlus shopping cart Hosted Cart SAQ-A

InLine shopping cart



Payment over API API SAQ-D
2Pay.js API SAQ-A

SAQ A is recommended for merchants with less than 20,000 transactions per year (Level 4) and mandatory for those that transact over this threshold.

Specific questions about compliance validation levels and what you must do to validate your SAQ should be addressed to the acquiring financial institution or payment card brand. Below are the major credit card brand compliance programs:

VISA and Mastercard compliance validation levels for merchants

Level no.

No. of card transactions/12 months

SAQ Requirement 

Level 4 up to 20K SAQ recommended, not mandatory
Level 3 20K - 1M SAQ mandatory
Level 2 1M - 6M SAQ mandatory, signed by a QSA or a trained PCI SSC ISA employee
Level 1 6M+ SAQ replaced with PCI DSS certification

Cart type/merchant level 

  Required SAQ Level 4 Level 3 Level 2 Level 1
Hosted shopping cart SAQ-A

Yearly: SAQ-A

Yearly: SAQ-A
Quarterly: ASV* Scan


Yearly: Attestation of Compliance ("AOC") by Qualified Security Assessor ("QSA")
Quarterly: ASV Scan
ConvertPlus  shopping cart SAQ-A

InLine shopping cart


Shopping cart via Order API (current API implementation) SAQ-D Required: 
Yearly: SAQ-D
Quarterly: ASV Scan

*ASV = approved scanning vendor

   2Checkout (now Verifone) is PCI Level 1 certified, which is the highest level of certification possible.
Rate this article:

Need help?

Do you have a question? If you didn’t find the answer you are looking for in our documentation, you can contact our Support teams for more information. If you have a technical issue or question, please contact us. We are happy to help.

Not yet a Verifone customer?

We’ll help you choose the right payment solution for your business, wherever you want to sell, in-person or online. Our team of experts will happily discuss your needs.

Verifone logo