Skip to navigation Search UltraCart Get Started
  • Level 1 CertifiedSince 2012
  • PCI DSS 4.0.1Current standard
  • Annual QSA AuditThird-party validated
  • Listed on Visa & MastercardService provider registries

What PCI Level 1 Means For Your Business

Level 1 is the strictest tier of PCI DSS, required of providers processing six million or more transactions a year. When UltraCart handles your cardholder data, your merchant account typically qualifies for the simplest self-assessment (SAQ-A), and your audit scope shrinks accordingly.

You Inherit Our Certification

Our platform's Level 1 validation covers the checkout, hosting, and data storage your store runs on. Those are the categories that would otherwise be your obligation to prove.

You Qualify for SAQ-A

Because UltraCart handles, transmits, and stores cardholder data (not your site), your merchant typically completes the shortest self-assessment questionnaire: 22 controls instead of 300+.

You Protect Brand Trust

Customers see the strongest security tier a platform can hold. You can answer "is your checkout PCI compliant?" with a two-word answer: Level 1.

How UltraCart Reduces Your PCI Burden

Every UltraCart storefront is engineered to keep cardholder data off your servers and inside our Level 1 environment.

Hosted & Iframe Checkout Surfaces

Custom Checkout, Checkout Only, and StoreFronts all render our checkout experience from the UltraCart domain or an iframe. Cardholder data enters our environment directly. It never touches your server or your code.

  • Eligible for the streamlined SAQ-A self-assessment
  • No card data in your logs, databases, or backups
  • Your developers never touch a PAN

Learn about Custom Checkout →

Tokenization & Vaulting

When you need to charge a saved card (subscriptions, renewals, phone orders, back-office entry), you work with a token, not a card number. The sensitive data stays locked inside UltraCart's vault.

  • PAN replaced with a token at the point of entry
  • Tokens useless outside the UltraCart environment
  • Subscriptions, saved payment methods, and recurring billing run on tokens end-to-end

Continuous Monitoring & Quarterly Scans

UltraCart runs the quarterly ASV scans, penetration testing, and continuous monitoring PCI DSS 4.0.1 demands, all on our infrastructure, not yours. You inherit the results through our attestation.

Strong Access Controls & MFA

Multi-factor authentication and role-based access control on the merchant back office. Admin activity is logged, reviewed, and retained in line with Requirement 10 of PCI DSS 4.0.1.

Encryption Everywhere

AES-class encryption at rest, TLS 1.2+ in transit. Cardholder data is encrypted the moment it enters our environment and stays encrypted through storage, processing, and retrieval.

Mid-Call & Back-Office Payments

Take a payment over the phone or build an order in the back office without ever seeing or writing down a card number. Our CRM phone system and back-office order entry feed the checkout directly, keeping even agent-assisted payments inside the Level 1 boundary.

See the CRM phone system →

What We Handle, What You Handle

A plain-English view of how the PCI DSS 4.0.1 control areas split between UltraCart and your merchant account.

Control Area
UltraCart
You
Firewall configuration & secure networks
Vendor-supplied defaults & system hardening
Encryption of stored cardholder data
Encryption of card data in transit
Vulnerability management & patching
Quarterly ASV scans & penetration testing
Logging & monitoring of the cardholder data environment
Annual third-party QSA audit & AOC
Strong passwords & MFA for your merchant users
Role-based access to your UltraCart account
Completing your SAQ-A each year
Internal security policy for your staff

SAQ type depends on how you integrate. Hosted checkout and iframe storefronts typically qualify for SAQ-A, the 22-control short form.

PCI DSS 4.0.1: The 12 Requirements

The controls every PCI DSS-validated provider must meet. We run these on our side so you can point at them on yours.

1. Install and maintain network security controls

Firewalls, network segmentation, and secure configurations protect the cardholder data environment from untrusted networks. UltraCart maintains and tests these controls continuously.

2. Apply secure configurations to all system components

No vendor defaults, no unnecessary services, hardened baselines. Every server, container, and appliance in UltraCart's cardholder data environment is configured against a documented standard.

3. Protect stored account data

Stored cardholder data is encrypted with strong cryptography and accessible only through authorized processes. Where tokenization is used, the sensitive data stays inside UltraCart's vault.

4. Protect cardholder data with strong cryptography during transmission over open, public networks

TLS 1.2 or higher on every inbound and outbound connection that touches cardholder data. No unencrypted transmission across public networks, ever.

5. Protect all systems and networks from malicious software

Anti-malware controls, continuous monitoring, and periodic review of solutions across the cardholder data environment.

6. Develop and maintain secure systems and software

Secure development lifecycle, code review, vulnerability management, and controlled change management for every release that touches the cardholder data environment.

7. Restrict access to system components and cardholder data by business need to know

Role-based access control, least-privilege defaults, and documented access provisioning. Nobody touches cardholder data who doesn't need to.

8. Identify users and authenticate access to system components

Unique IDs for every user, multi-factor authentication, and strong authentication policies for any access into the cardholder data environment.

9. Restrict physical access to cardholder data

Physical access to data centers and media containing cardholder data is restricted, logged, and monitored.

10. Log and monitor all access to system components and cardholder data

Every access to the cardholder data environment is logged, time-synchronized, and retained for forensic review. Logs are reviewed continuously for anomalies.

11. Test security of systems and networks regularly

Quarterly ASV scans, annual penetration testing, file integrity monitoring, and wireless scans. We run the tests and remediate findings on your behalf.

12. Support information security with organizational policies and programs

Documented security policy, annual risk assessments, security awareness training, incident response procedures, and formal vendor management. Updated to align with PCI DSS 4.0.1 expectations.

Effective March 31, 2025, the PCI Security Standards Council simplified SAQ-A for ecommerce merchants who fully outsource their cardholder data functions to a validated provider. That is exactly the posture UltraCart enables.

Merchant Levels, Explained

Your merchant level depends on annual transaction volume. Whichever level applies to your business, running on UltraCart shrinks the scope of what you have to validate.

Level
Annual Card Transactions
Typical Validation
Level 1
6M+
On-site assessment by a QSA, annual Report on Compliance
Level 2
1M–6M
Annual Self-Assessment Questionnaire
Level 3
20K–1M ecommerce
Annual Self-Assessment Questionnaire
Level 4
Under 20K ecommerce
Annual Self-Assessment Questionnaire

Thresholds follow the Visa and Mastercard merchant-level definitions. UltraCart itself operates at Level 1 as a service provider, the strictest tier available.

Verify Our Certification

UltraCart has maintained PCI DSS Level 1 certification continuously since 2012. Our current listing is public on both the Visa and Mastercard service provider registries.

Visa Global Registry of Service Providers Search “UltraCart” in the registry. Mastercard SDP Compliant Registered Service Provider List Current Mastercard SDP program list (PDF).

Frequently Asked Questions

What does PCI Level 1 mean?

PCI Level 1 is the strictest tier of the Payment Card Industry Data Security Standard. It applies to service providers and merchants handling six million or more card transactions a year and requires an annual on-site audit by a Qualified Security Assessor, quarterly vulnerability scans by an Approved Scanning Vendor, and formal attestation to all 12 PCI DSS requirements.

Does running my store on UltraCart make me PCI compliant?

Running on UltraCart dramatically shrinks what you're responsible for validating, but every merchant still has to complete their own Self-Assessment Questionnaire each year. Because UltraCart handles the cardholder data, most merchants qualify for SAQ-A (the shortest form), which covers the handful of controls that stay on your side.

Which SAQ do I fill out when I use UltraCart?

Most merchants using UltraCart's hosted checkout, Checkout Only, or StoreFronts qualify for SAQ-A, which validates 22 controls. If you build a custom integration that processes card data on your own servers, you may fall under SAQ-A-EP or SAQ-D. When in doubt, ask your acquiring bank or QSA. The integration method drives the SAQ type.

What is PCI DSS 4.0.1?

PCI DSS 4.0.1 is the current version of the Payment Card Industry Data Security Standard, published by the PCI Security Standards Council. It strengthens authentication, expands targeted risk analysis, and modernizes encryption and monitoring expectations. UltraCart is validated against 4.0.1.

How long has UltraCart been PCI Level 1 certified?

UltraCart has maintained PCI DSS Level 1 certification continuously since 2012. Every year since has included a third-party QSA audit and renewed attestation.

How does UltraCart protect stored cardholder data?

Stored cardholder data is encrypted with strong cryptography and isolated inside our cardholder data environment. For recurring and agent-assisted charges, UltraCart stores a token in place of the card number. The real PAN lives only in our secure vault and is never exposed to your store, your staff, or anyone outside the Level 1 boundary.

Can I verify UltraCart's PCI compliance status myself?

Yes. UltraCart is listed on both the Visa Global Registry of Service Providers and the Mastercard SDP Compliant Registered Service Provider List. Links to both are in the Verify Our Certification section above.

Ready to Launch Your Online Store? It's Easier Than You Think!

Get started with UltraCart in just a few simple steps—no long commitments, no complicated setup. Just a streamlined experience designed to get your store live and making sales.

Clear Pricing

Transparent pricing that grows with your business—no hidden fees, just the tools you need to succeed.

Pricing and Plans

Dedicated Support

Friendly support ready to help you launch, grow, and answer any questions along the way.

Contact Support