PCI DSS Compliance Levels (1-4) Explained: Which Level Are You?
Quick Answer
PCI DSS has four compliance levels based on annual card transaction volume: Level 1 (over 6 million), Level 2 (1-6 million), Level 3 (20,000-1 million e-commerce), and Level 4 (under 20,000 e-commerce). Higher levels require more rigorous assessment methods.
Understanding PCI DSS Compliance Levels
PCI DSS compliance levels determine how your organization must validate its compliance. The card brands (Visa, Mastercard, American Express, Discover) assign levels based on the number of card transactions you process annually. Higher transaction volumes mean stricter validation requirements.
Key Takeaways
- Level 1 merchants (6M+ transactions) must have annual on-site assessments by a QSA
- Level 2-4 merchants can typically self-assess using a Self-Assessment Questionnaire (SAQ)
- All levels require quarterly external vulnerability scans by an ASV
- A data breach can force any merchant to Level 1 regardless of transaction volume
- Service providers have separate level definitions (Level 1: 300K+ transactions)
The Four Merchant Levels
| Level | Transaction Volume | Validation Method | Typical Cost Range |
|---|---|---|---|
| Level 1 | Over 6 million annually (any channel) | Annual ROC by QSA + quarterly ASV scans | $200,000-$500,000+/year |
| Level 2 | 1 to 6 million annually | Annual SAQ + quarterly ASV scans | $50,000-$200,000/year |
| Level 3 | 20,000 to 1 million e-commerce transactions | Annual SAQ + quarterly ASV scans | $10,000-$50,000/year |
| Level 4 | Under 20,000 e-commerce or under 1 million other | Annual SAQ + quarterly ASV scans (recommended) | $1,000-$10,000/year |
Level 1: Enterprise Merchants
Level 1 is the most rigorous tier. It applies to any merchant processing over 6 million Visa or Mastercard transactions per year across all channels. These merchants must undergo an annual on-site assessment by a Qualified Security Assessor (QSA) resulting in a Report on Compliance (ROC).
- Annual on-site assessment by QSA producing a Report on Compliance (ROC)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Annual penetration testing (internal and external)
- Submission of Attestation of Compliance (AOC) to acquiring bank
- Any merchant that has experienced a data breach may be elevated to Level 1
Level 2: Large Merchants
Level 2 merchants process 1 to 6 million transactions annually. They can self-assess using the appropriate SAQ, though some acquiring banks may require a QSA assessment depending on the merchant's risk profile.
Level 3: Medium E-commerce Merchants
Level 3 specifically targets e-commerce merchants processing 20,000 to 1 million online transactions per year. The focus on e-commerce reflects the higher fraud risk associated with card-not-present transactions.
Level 4: Small Merchants
Level 4 is the most common level, covering the vast majority of small businesses. While compliance validation is still required, enforcement is often less rigorous. However, Level 4 merchants are not exempt from PCI DSS requirements — they simply have a simpler validation path.
Service Provider Levels
Service providers — companies that store, process, or transmit cardholder data on behalf of other entities — have their own level definitions:
| Level | Transaction Volume | Validation Method |
|---|---|---|
| SP Level 1 | Over 300,000 transactions annually | Annual ROC by QSA + quarterly ASV scans |
| SP Level 2 | Under 300,000 transactions annually | Annual SAQ-D + quarterly ASV scans |
Differences Between Card Brands
Each card brand defines compliance levels slightly differently. The thresholds above are based on Visa's definitions, which are the most commonly referenced. Key differences:
Visa vs Mastercard Level Definitions
| Feature | Visa | Mastercard |
|---|---|---|
| Level 1 threshold | 6 million transactions | 6 million transactions |
| Level 2 threshold | 1-6 million transactions | 1-6 million transactions |
| Level 3 scope | E-commerce only (20K-1M) | 20K-1M e-commerce transactions |
| Level 4 scope | Under 20K e-commerce, under 1M other | Under 20K e-commerce |
| Breach escalation | May escalate any merchant to Level 1 | Account Data Compromise may trigger Level 1 |
✅ Use the highest applicable level
If your transaction volumes place you at different levels across card brands, always comply with the most stringent level. For example, if you are Level 2 for Visa but Level 1 for American Express, treat yourself as Level 1.
How to Determine Your Level
Steps to Determine Your PCI DSS Level
Count your annual transactions
Total all card transactions across every channel (in-store, online, phone, mobile) for the past 12 months. Count individual transactions, not dollar volume.
Check each card brand's thresholds
Compare your transaction count against Visa, Mastercard, Amex, and Discover level definitions. Each brand may classify you differently.
Apply the most stringent level
If card brands classify you at different levels, use the highest (most stringent) level as your compliance target.
Check for escalation factors
Previous data breaches, high chargeback rates, or acquirer requirements may elevate your level regardless of transaction volume.
Confirm with your acquiring bank
Your acquiring bank (the bank that processes your card payments) has the final say on your compliance level and validation requirements.
Can my compliance level change?
Yes. Your level changes automatically as your transaction volume grows or decreases. Additionally, a data breach or security incident can force any merchant to Level 1, requiring a full QSA assessment regardless of transaction volume.
Do refunds and voided transactions count toward my level?
Generally, only authorized transactions count toward your level. Refunds, voids, and declined transactions are typically excluded, but check with your acquiring bank for their specific counting methodology.
What if I process cards through multiple acquiring banks?
Your total transaction volume across all acquiring banks determines your level. You cannot split transactions across acquirers to stay at a lower level.
Is Level 4 compliance optional?
No. PCI DSS compliance is required at all levels. Level 4 merchants must still complete the appropriate SAQ and maintain compliance. However, enforcement and audit requirements are less rigorous than higher levels.
Find Your PCI DSS Compliance Solution
Compare QSA firms, ASV scanning providers, and compliance platforms for your merchant level.
Browse PCI DSS Vendors