PCI DSS Level 1 is the highest merchant validation tier used by major card schemes. It generally applies to merchants processing more than 6 million card transactions per year (thresholds can vary by brand and acquirer), or merchants that a card brand designates as high risk (for example, after a major compromise).
Why PCI DSS Level 1 Matters in EV Charging
For EV charging networks offering contactless / card payments, Level 1 affects how payment security is proven and audited—especially for public ad-hoc charging deployments with payment terminals and payment gateway integration.
Typical Level 1 Validation Requirements
Level 1 merchants typically must:
– Complete an annual Report on Compliance (ROC) (rather than only an SAQ)
– Have the assessment performed (or validated) by a Qualified Security Assessor (QSA)
– Perform quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) (commonly required as part of PCI validation programs)
Important Practical Note
“Level 1” is not defined by PCI SSC itself as a universal classification—merchant levels and exact validation obligations are set by card brands and acquirers, so the final classification and evidence requirements are determined by your acquiring bank/payment partners.
Related Glossary Terms
PCI DSS
PCI DSS Compliance
Payment Terminals
Payment Gateway Integration
Tokenization
Encrypted Communications
Patch Management
Incident Response Plan