PCI DSS Compliance Levels: Which Level Are You?
If you accept payment cards, you need to comply with the Payment Card Industry Data Security Standard. The catch is that not every business validates compliance the same way. PCI DSS compliance levels divide merchants and service providers into tiers based on transaction volume, and your level decides whether you fill out a self-assessment questionnaire over a weekend or hire a Qualified Security Assessor for a months-long audit.
This guide walks through the four merchant levels and the two service provider levels, the validation requirements for each, and how to figure out which one applies to you. By the end, you will know exactly which forms to complete, which scans to run, and what the bill is likely to look like.
What are PCI DSS compliance levels?
The PCI Security Standards Council and the five card brands (Visa, Mastercard, American Express, Discover, JCB) classify every business that touches cardholder data into a compliance level. The level is based on annual transaction volume across all channels, and it determines:
- The validation method (self-assessment vs Report on Compliance)
- The required scanning and testing frequency
- The audit cost
- The reporting timeline
The PCI DSS compliance levels themselves are set by the card brands, not the Council. Visa publishes its own table, Mastercard publishes another, and the thresholds happen to be very similar. Most acquirers default to the Visa table when they communicate level assignment to merchants.
Merchant compliance levels at a glance
The four merchant levels apply to any business that accepts card payments from customers. The thresholds use total annual transactions across all card brands.
| Level | Annual transactions | Validation | Frequency |
|---|---|---|---|
| Level 1 | Over 6 million | Report on Compliance (ROC) by QSA | Annual |
| Level 2 | 1 million to 6 million | Self-Assessment Questionnaire (SAQ) plus AOC | Annual |
| Level 3 | 20,000 to 1 million (e-commerce only) | SAQ plus AOC | Annual |
| Level 4 | Under 20,000 e-commerce, or under 1 million total | SAQ (often with acquirer flexibility) | Annual or as required |
Two important nuances apply. First, any merchant who has suffered a breach that resulted in cardholder data compromise is automatically promoted to Level 1, regardless of volume. Second, card brands reserve the right to assign a higher level at their discretion, particularly to businesses they consider high risk.
Level 1 merchants
Level 1 covers the largest merchants. Walmart, Target, Amazon, and similar retailers all sit here. The validation requirement is the heaviest:
- A full Report on Compliance prepared by a Qualified Security Assessor (QSA) or an internal auditor approved by the card brands
- An Attestation of Compliance signed by an executive
- Quarterly external network scans by an Approved Scanning Vendor (ASV)
- Annual penetration testing of the cardholder data environment
A Level 1 ROC engagement typically runs 8 to 16 weeks and costs between $40,000 and $200,000+ depending on environment complexity. For a deeper breakdown, see our guide on PCI DSS compliance.
Level 2 merchants
Level 2 applies to merchants processing 1 million to 6 million card transactions a year. These businesses can self-validate using a Self-Assessment Questionnaire rather than a full ROC, but most card brands require the SAQ to be reviewed and signed by an Internal Security Assessor (ISA) or QSA.
Level 2 still requires quarterly ASV scans. Penetration testing requirements depend on the SAQ type — SAQ D requires it, simpler SAQs may not.
Level 3 merchants
Level 3 covers e-commerce merchants processing 20,000 to 1 million online transactions. Brick-and-mortar businesses do not appear at Level 3 unless they have an e-commerce channel that hits the volume threshold.
Validation is the SAQ plus AOC, with quarterly ASV scans. Most Level 3 merchants complete SAQ A (fully outsourced e-commerce), SAQ A-EP (partially outsourced), or SAQ D for any other e-commerce architecture. Our PCI DSS SAQ guide walks through which questionnaire fits which payment flow.
Level 4 merchants
Level 4 is the catch-all for everyone smaller. The vast majority of US small businesses sit here. Validation requirements are technically defined by the acquirer rather than the card brands directly, which means they can be lighter than Level 3 in practice. Some acquirers ask only for an annual SAQ; others require quarterly ASV scans on top.
Service provider compliance levels
Service providers store, process, or transmit cardholder data on behalf of merchants. Payment gateways, hosting providers that store cardholder data, managed firewall providers, and third-party customer service vendors all fit this category. PCI DSS compliance levels for service providers use a different table.
| Level | Annual transactions stored, processed, or transmitted | Validation |
|---|---|---|
| Level 1 | Over 300,000 (Visa) or any service provider that connects directly to a payment network | Annual ROC by QSA, quarterly ASV scans, annual penetration test, AOC |
| Level 2 | Under 300,000 | Annual SAQ D for Service Providers, quarterly ASV scans, AOC |
The thresholds vary slightly by card brand. Mastercard, for example, sets the Level 1 service provider threshold at 300,000 combined Mastercard and Maestro transactions. Most service providers default to the strictest threshold across the brands they support.
Service providers face a market reality on top of the formal rules. Customers (the merchants buying their service) almost always insist on a Level 1 AOC even when the provider could legitimately validate at Level 2. Without a Level 1 AOC, a service provider effectively cannot sell to enterprise merchants. Many service providers therefore validate at Level 1 by choice, not by volume.
How to determine your PCI DSS compliance level
Three factors set your level: card transaction volume, breach history, and your acquirer's discretion. Walk through them in order.
- Get your last 12 months of transaction counts from your acquirer or processor statements. Sum across all card brands. Do not just count Visa.
- Check both physical and e-commerce volumes separately. A merchant who processes 25,000 e-commerce transactions and 2 million card-present transactions is Level 3 for e-commerce purposes (the higher tier between the two).
- Review your breach history. A confirmed cardholder data breach in the last year automatically promotes you to Level 1.
- Ask your acquirer to confirm in writing. They have the final word.
Many merchants skip step 4 and rely on a portal screen that says "you are Level 4." That is a useful starting point but not a contract. If you push past 1 million annual transactions mid-year, the acquirer can update your level retroactively, and you may discover you owe a Level 2 SAQ on the day of your annual attestation.
Validation requirements summary
The exact validation deliverables for each level look like this:
| Deliverable | Level 1 (M) | Level 2 (M) | Level 3 (M) | Level 4 (M) | Level 1 (SP) | Level 2 (SP) |
|---|---|---|---|---|---|---|
| Report on Compliance | Yes (QSA) | No | No | No | Yes (QSA) | No |
| Self-Assessment Questionnaire | No | Yes | Yes | Yes | No | Yes (SAQ D-SP) |
| Attestation of Compliance | Yes | Yes | Yes | Acquirer-defined | Yes | Yes |
| Quarterly ASV scans | Yes | Yes | Yes | Acquirer-defined | Yes | Yes |
| Annual penetration test | Yes | If SAQ D | If SAQ D | Rare | Yes | If SAQ D |
| Internal vulnerability scans (quarterly) | Yes | Yes | Yes | Yes | Yes | Yes |
The "M" columns are merchants, "SP" are service providers. SAQ D-SP is the dedicated service provider questionnaire under SAQ D.
Common validation pitfalls
A few patterns trip up merchants every year, particularly when they move between PCI DSS compliance levels.
Confusing transaction count with revenue. Volume is measured in transactions, not in dollars. A subscription business with 4 million $5 charges sits at Level 1, while a luxury retailer with 50,000 $20,000 transactions is Level 3 or 4.
Counting only one card brand. All five brands roll into the volume calculation. Many small businesses look at Visa alone and conclude they are Level 4, when adding Mastercard and Amex pushes them into Level 3.
Assuming SAQ A covers all e-commerce. SAQ A is the lightest questionnaire and applies only when the merchant fully outsources cardholder data handling, including the payment page itself, with no JavaScript redirect from a merchant-controlled page. If you embed an iframe or use a JavaScript snippet from your processor, you are likely on SAQ A-EP, which has roughly 4x the controls.
Treating P2PE as a free pass. Point-to-point encryption with a validated PCI P2PE solution can dramatically reduce scope — but only when implemented exactly per the P2PE Implementation Manual. Misconfigured P2PE leaves you on the full SAQ D.
For a deeper look at how to reduce scope before you start the validation work, see our PCI DSS compliance checklist.
What this costs at each level
A rough range, based on engagements we have observed in 2025 and 2026, looks like this:
| Level | Annual cost (typical mid-market) | What is included |
|---|---|---|
| Merchant Level 1 | $50,000 to $250,000+ | QSA ROC, ASV scans, pen test, internal scans, remediation tooling |
| Merchant Level 2 | $15,000 to $50,000 | QSA-reviewed SAQ, ASV scans, internal scans, optional pen test |
| Merchant Level 3 | $5,000 to $15,000 | SAQ, ASV scans, internal scans |
| Merchant Level 4 | $500 to $5,000 | SAQ, optional ASV scans, optional internal scans |
| Service Provider L1 | $80,000 to $400,000 | QSA ROC, ASV scans, pen test, internal scans |
| Service Provider L2 | $20,000 to $60,000 | SAQ D-SP, ASV scans, optional pen test |
These figures exclude internal staff time, which is usually the larger budget line. A first-year Level 1 engagement consumes 800 to 2,000 internal engineering hours; the QSA is just the auditor. Compliance automation tools (Vanta, Drata, Secureframe, Sprinto) can compress that internal time by 30 to 60% through evidence collection automation.
When your level changes
Levels are not permanent. Two events can move you between PCI DSS compliance levels:
- Crossing a volume threshold. Most acquirers reassess annually. A growing merchant who crosses 1 million transactions in a calendar year moves from Level 4 to Level 2 or 3 at the next annual attestation cycle.
- A confirmed breach. Any cardholder data compromise pushes you to Level 1. The promotion is essentially permanent in practice. The card brands rarely move a previously-breached merchant back down.
Plan for level changes early. The control set for Level 1 is the same as Level 4 (all 12 PCI DSS requirements apply at every level). What changes is the validation rigor. Building Level 1 evidence after a breach, while operating under additional regulatory scrutiny, is far harder than building it gradually as you grow.
Frequently asked questions
Are PCI DSS compliance levels the same across all card brands?
Almost. The thresholds align very closely between Visa, Mastercard, Discover, JCB, and AMEX, but each brand publishes its own table and reserves the right to assign a higher level. Most acquirers default to the Visa table when communicating with merchants. If you process across multiple brands, the strictest brand wins.
Can a small business be forced into Level 1?
Yes. A confirmed cardholder data breach automatically promotes any merchant to Level 1 regardless of transaction volume. The card brands also reserve general discretion to assign a higher level if they consider the merchant high risk.
What is the difference between PCI DSS compliance levels for merchants and service providers?
Merchants accept payments from cardholders. Service providers store, process, or transmit cardholder data on behalf of others. Service providers face only two levels (1 and 2) instead of four, with stricter validation at both, because a single service provider compromise can affect thousands of merchants downstream.
How long does it take to validate at each level?
A Level 4 SAQ takes 1 to 5 days for a small business. A Level 2 or 3 SAQ takes 2 to 8 weeks including evidence gathering. A Level 1 ROC takes 8 to 16 weeks of fieldwork after a 4 to 8 week readiness assessment.
Do I need a QSA to validate at every level?
No. QSAs are only mandatory for Level 1 merchants and Level 1 service providers. Level 2 merchants must have their SAQ reviewed by an Internal Security Assessor or QSA per Visa rules, but the assessment itself is self-completed. Levels 3 and 4 merchants can self-attest entirely.
What happens if I cross a level threshold mid-year?
Your acquirer typically waits until the next annual attestation cycle to update your level. If volume growth is dramatic or your acquirer has separate reporting obligations to the card brands, they may move your level mid-year. Always confirm in writing.
Are PCI DSS compliance levels going to change with PCI DSS 4.0?
No. PCI DSS 4.0 (effective March 31, 2024 with phased requirements through March 31, 2025) updates the requirements themselves, not the merchant or service provider level structure. The level thresholds are set by the card brands and have not changed. See our PCI DSS 4.0 requirements guide for the new control changes.
Bottom line
PCI DSS compliance levels are about validation rigor, not about which controls apply. Every merchant and service provider must implement the full standard. What changes from Level 4 to Level 1 is who signs off, how much paperwork goes to the acquirer, and how often outside scanners and auditors get involved.
The practical move for any business that touches card data is to confirm your level in writing with your acquirer, build to the next-higher level if you are within 25% of a threshold, and use an automation platform to keep evidence flowing year-round so the next cycle is faster than the last.
For the official thresholds, see the PCI Security Standards Council's documentation and the Visa, Mastercard, Discover, JCB, and AMEX merchant level tables.
