PCI DSS

PCI DSS Compliance Levels

An explanation of PCI DSS merchant and service provider compliance levels, transaction thresholds, and validation requirements for each level.
Browse PCI DSS topics
PCI DSS Compliance LevelsPCI DSS RequirementsPCI DSS Scope ReductionPCI DSS Self-Assessment Questionnaire (SAQ)PCI DSS v4.0 Changes

How PCI DSS compliance levels work

PCI DSS applies universally to any organization that stores, processes, or transmits cardholder data. However, the validation requirements -- how you demonstrate compliance -- vary based on your transaction volume and business type. The payment card brands (Visa, Mastercard, American Express, Discover, and JCB) each define their own compliance level thresholds, though the levels are broadly similar.

Understanding your compliance level is essential for planning your PCI DSS compliance program. Your level determines whether you need a formal on-site assessment by a Qualified Security Assessor (QSA) or can self-validate using a Self-Assessment Questionnaire (SAQ).

Merchant compliance levels

Level 1 - Largest merchants

Transaction threshold: More than 6 million card transactions per year across all channels (Visa and Mastercard). American Express sets this at 2.5 million transactions.

Validation requirements:

  • Annual Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA)
  • Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
  • Attestation of Compliance (AOC) signed by the QSA and an officer of the organization
  • Annual penetration test

Who falls into Level 1:

  • Major retailers, airlines, and hospitality chains
  • Large e-commerce platforms
  • Any merchant that has experienced a data breach resulting in account data compromise (regardless of transaction volume)
  • Any merchant that a payment brand identifies as Level 1 at its discretion

Level 1 assessments are the most rigorous and expensive. The ROC process involves detailed evidence review, on-site interviews, system sampling, and testing of every applicable control across all 12 PCI DSS requirements. Assessments typically take several weeks to several months depending on the size and complexity of the cardholder data environment.

Level 2 - Mid-size merchants

Transaction threshold: 1 million to 6 million card transactions per year (Visa and Mastercard).

Validation requirements:

  • Annual Self-Assessment Questionnaire (SAQ) appropriate to the merchant's payment processing environment
  • Quarterly ASV vulnerability scans
  • Attestation of Compliance (AOC)

Some acquiring banks may require Level 2 merchants to complete a ROC or engage a QSA to validate their SAQ, particularly if the merchant operates in a high-risk industry or has experienced security incidents. The specific SAQ type depends on how the merchant processes payments -- see the SAQ guide for details.

Level 3 - E-commerce merchants

Transaction threshold: 20,000 to 1 million e-commerce transactions per year (Visa). Mastercard defines Level 3 as merchants processing 20,000 to 1 million total transactions.

Validation requirements:

  • Annual SAQ appropriate to the merchant's environment
  • Quarterly ASV vulnerability scans
  • Attestation of Compliance (AOC)

Level 3 was originally designed to address e-commerce merchants specifically, recognizing the elevated risk of card-not-present transactions. In practice, the validation requirements are similar to Level 2, but the threshold is significantly lower for online-only merchants.

Level 4 - Smallest merchants

Transaction threshold: Fewer than 20,000 e-commerce transactions per year and fewer than 1 million total transactions across all channels.

Validation requirements:

  • Annual SAQ appropriate to the merchant's environment (recommended but determined by acquirer)
  • Quarterly ASV vulnerability scans (if applicable to the SAQ type)
  • Attestation of Compliance (AOC)

Level 4 encompasses the vast majority of merchants worldwide. While the validation requirements are the least demanding, the PCI DSS requirements themselves still apply in full. A data breach at a Level 4 merchant carries the same consequences as one at a Level 1 merchant. Many acquiring banks set their own requirements for Level 4 merchants, and some may not actively enforce SAQ completion, which unfortunately leads to gaps in security.

Service provider compliance levels

Service providers -- organizations that store, process, or transmit cardholder data on behalf of other entities, or that could affect the security of cardholder data -- have their own compliance levels.

Service provider Level 1

Threshold: More than 300,000 card transactions per year (Visa) or any service provider that stores, processes, or transmits more than 300,000 Mastercard transactions.

Validation requirements:

  • Annual ROC by a QSA
  • Quarterly ASV vulnerability scans
  • Semi-annual segmentation penetration testing (more frequent than merchant requirements)

Service provider Level 2

Threshold: Fewer than 300,000 card transactions per year.

Validation requirements:

  • Annual SAQ-D for Service Providers
  • Quarterly ASV vulnerability scans

Service providers face additional PCI DSS requirements beyond those for merchants, including change detection mechanisms, penetration testing of segmentation controls every six months, and documented responsibilities in customer agreements. Many payment brands maintain public registries of validated service providers that merchants can reference.

Payment brand variations

While the levels described above represent the general framework, each payment brand has specific nuances:

  • Visa distinguishes between e-commerce and total transaction counts for Levels 3 and 4
  • Mastercard includes a "Site Data Protection" (SDP) program with registration requirements
  • American Express uses a lower Level 1 threshold (2.5 million transactions) and refers to its program as the Data Security Operating Policy (DSOP)
  • Discover follows a similar four-level structure but determines levels based on Discover-brand transactions specifically
  • JCB follows a structure aligned with Visa but with its own compliance program requirements

Organizations that accept multiple card brands must meet the most stringent level applicable across all brands. If you process 3 million Visa transactions (Level 2 for Visa) but 3 million American Express transactions (Level 1 for Amex), you would need to meet Level 1 validation requirements.

How compliance levels affect your program

Assessment cost and effort

Level 1 assessments involving a QSA engagement can cost anywhere from $50,000 to over $500,000 depending on the complexity of the environment, the number of locations, and the maturity of existing controls. Self-assessment at Levels 2 through 4 is less expensive but still requires significant internal effort to gather evidence, complete the questionnaire accurately, and maintain documentation.

Scope reduction benefits

PCI DSS scope reduction techniques benefit organizations at every level. For Level 1 merchants, a smaller cardholder data environment means a shorter, less expensive QSA engagement. For Level 2 through 4 merchants, scope reduction may qualify you for a simpler SAQ type, reducing the number of questions from over 300 (SAQ D) to as few as 22 (SAQ A).

Acquirer requirements

Your acquiring bank (the bank that processes card transactions on your behalf) is ultimately responsible for ensuring your compliance. Acquirers may impose requirements beyond the minimum defined by the payment brands. Some acquirers require Level 2 merchants to undergo QSA assessments, mandate specific SAQ types, or set deadlines for compliance validation that differ from the payment brand's timelines.

Breach consequences by level

A data breach can result in escalation to a higher compliance level, significant fines from payment brands (ranging from $5,000 to $100,000 per month of non-compliance), forensic investigation costs, and potential loss of the ability to process card payments. These consequences apply regardless of compliance level, which is why organizations at every level in the fintech industry and beyond should invest in robust security controls rather than treating compliance as a box-checking exercise.

Determining your level

To determine your compliance level:

  1. Count your annual transactions across all channels and all payment brands
  2. Identify which payment brands you accept and check each brand's specific thresholds
  3. Consult your acquiring bank for any additional requirements or level assignments
  4. Consider breach history -- a prior breach may automatically place you at Level 1
  5. Plan for growth -- if you are approaching a threshold, plan for the next level's validation requirements proactively

Your compliance level is not static. As transaction volumes grow, you may move to a higher level with more demanding validation requirements. Building a mature compliance program early ensures a smoother transition when that time comes.

Related topics

requirementsself-assessment-questionnairev4-changes

Related terms

What is GRC?What is PCI DSS?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough