Transitioning from a PCI DSS SAQ to a Level 1 Assessment

For PCI DSS-certified businesses, compliance obligations tend to grow alongside the business itself. Merchants and service providers are classified differently under PCI DSS, and the transition to Level 1 carries unique implications for each.

For merchants, Level 1 status is typically reached when an organization processes more than six million Visa or Mastercard transactions annually across all channels. For service providers, Level 1 classification generally applies when an organization stores, processes, or transmits cardholder data on behalf of other entities and either processes more than 300,000 transactions annually or is otherwise designated as Level 1 by a card brand or acquirer. Service providers may also be required to undergo a Level 1 assessment regardless of transaction volume due to the criticality of the services they provide.

Unlike Levels 2 through 4, where organizations may complete a Self-assessment Questionnaire (SAQ), Level 1 merchants and service providers are required to undergo a formal Report on Compliance (RoC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). This transition represents a significant increase in scope, rigor, and organizational effort and often catches organizations off guard.

This article outlines the most common challenges merchants and service providers face when moving from an SAQ to a Level 1 assessment and how to prepare effectively.

Getting Started with a Third-Party Audit

Moving from self-attestation to an independent third-party assessment is often the most difficult adjustment for both merchants and service providers. SAQs rely heavily on an organization’s interpretation of PCI DSS requirements, whereas a Level 1 assessment requires a QSA to independently test, validate, and document both the design and operating effectiveness of security controls.

Merchants often struggle when transaction flows, payment applications, or segmentation assumptions are challenged. Service providers frequently encounter increased scrutiny around shared environments, customer segmentation, and responsibility boundaries.

To ease the transition to working with a QSA, organizations should:

1. Engage a QSA early to perform a readiness or gap assessment before the formal RoC begins
2. Shift the internal mindset from passing an SAQ to proving compliance with objective, defensible evidence
3. Train internal teams on how QSAs test controls, select samples, and evaluate evidence

Increased Scope and System Complexity

Organizations transitioning to Level 1 often discover that their PCI scope is significantly larger than anticipated. A QSA must fully understand cardholder data flows, system interconnections, cloud services, third party providers, and supporting infrastructure.

For merchants, this often includes payment channels, ecommerce platforms, call centers, and point of sale systems. For service providers, scope frequently expands to include shared infrastructure, customer facing systems, administrative access paths, and segmentation controls used to isolate customer environments.

Common scope related surprises include:

1. Systems assumed to be out of scope due to informal or unvalidated segmentation
2. Cloud and SaaS platforms with unclear shared responsibility models
3. Legacy systems still connected to the cardholder data environment (CDE)

To prepare for expanded scope, organizations should:

1. Conduct a detailed PCI scoping and data flow exercise to identify where cardholder data is stored, processed, or transmitted
2. Implement and validate network and customer segmentation with documented testing results
3. Maintain current system inventories and interconnection diagrams to support assessor understanding

Evidence and Documentation Gaps

Level 1 assessments require extensive documentation demonstrating both control design and sustained operation over time. Evidence that may have been sufficient for an SAQ often fails under the depth and duration of RoC testing.

Merchants are often challenged by transaction based controls, logging, and operational evidence. Service providers frequently struggle with documentation supporting shared responsibility, customer isolation, and administrative access controls.

Common failure points include:

1. One time screenshots instead of logs or reports covering a full testing period
2. Policies that exist on paper but are not consistently followed in practice
3. Undocumented or improperly justified compensating controls
4. Evidence gathered only during the assessment rather than throughout the year

Best practices for evidence management include:

1. Maintaining a centralized PCI evidence repository mapped directly to PCI DSS requirements
2. Standardizing policies, procedures, and documentation templates across teams
3. Collecting evidence continuously to demonstrate consistent control operation

Operational Maturity and Ongoing Compliance

Level 1 assessments place strong emphasis on whether security controls are consistently executed as part of normal business operations. This applies equally to merchants and service providers, though the controls themselves may differ in complexity.

Merchants are often evaluated on transaction monitoring, vulnerability management, and change control. Service providers face additional scrutiny around access management, customer provisioning, logging across shared systems, and segmentation enforcement.

To demonstrate operational maturity, organizations should:

1. Formalize workflows for activities such as access provisioning, log reviews, vulnerability management, and change management
2. Assign clear control ownership for each PCI requirement across merchant and service provider teams
3. Leverage automation for logging, monitoring, access reviews, and alerting to reduce manual error and improve auditability

Cultural and Organizational Alignment

As organizations move to Level 1, PCI compliance expands beyond IT and security to include development, operations, legal, customer support, and executive leadership. This expansion is particularly impactful for service providers that support multiple customers and environments.

To support alignment, organizations should:

1. Establish a cross functional PCI governance team with defined roles and responsibilities
2. Communicate the business impact of PCI noncompliance, including financial penalties, reputational damage, customer trust implications, and contractual risk
3. Involve leadership at key milestones to reinforce that PCI compliance is a business risk and scalability issue, not just a technical exercise

Common Pitfalls in a First Level 1 Assessment

Organizations undergoing their first Level 1 assessment often encounter challenges that were not apparent during SAQ-based compliance. These pitfalls frequently delay assessments, increase remediation effort, or result in unexpected noncompliance findings for both merchants and service providers.

Common pitfalls include:

1. Treating the RoC like an expanded SAQ rather than a formal audit requiring defensible testing and sustained evidence
2. Lack of sufficient documentation, including missing procedures, outdated policies, or undocumented processes relied upon in practice
3. Documentation that does not reflect actual operations, such as policies that exist on paper but are not consistently followed
4. Assuming segmentation or scope reduction without documented validation and testing results
5. Relying on inherited compliance from cloud platforms or upstream providers without clearly defining and documenting shared responsibility
6. Unclear or missing control ownership across merchant or service provider teams, leading to inconsistent execution
7. Underestimating the effort required to support evidence requests, interviews, and follow-up testing

Organizations that proactively identify and address these issues are significantly more likely to experience a smooth first Level 1 assessment.

Preparing for the Transition

Successfully moving from an SAQ to a Level 1 assessment requires early planning, realistic scoping, and a clear understanding of PCI DSS expectations for both merchants and service providers. Conducting a readiness assessment, engaging a QSA early, and addressing documentation and process gaps ahead of time can significantly reduce friction during the formal assessment.

While the transition can be challenging, it often serves as a forcing function for stronger security maturity, improved operational discipline, and readiness for enterprise customers, acquirers, and card brands.

CompliancePoint is an authorized PCI QSA. We have helped many organizations, including those in Level 1, navigate every step of the PCI DSS certification process. Contact us at connect@compliancepoint.com to learn more about how we can help your business achieve its PCI goals.