PCI DSS Compliance Levels for Merchants and Service Providers 

‍

PCI DSS compliance levels are determined by the volume of credit and debit card transactions a merchant processes annually. There are four levels, with Level 1 being the highest and Level 4 the lowest. Each level has specific validation and reporting requirements.

The PCI Security Standards Council (SSC) sets the standards for PCI DSS compliance levels. The specific requirements for each level can vary based on the acquiring bank or payment network. PCI DSS compliance is an annual process to ensure ongoing security.

Here's a breakdown of the four PCI DSS compliance levels:

• Level 1: Merchants processing over 6 million transactions annually. 
• Level 2: Merchants processing 1 million to 6 million transactions annually. 
• Level 3: Merchants processing 20,000 to 1 million transactions annually. 
• Level 4: Merchants processing fewer than 20,000 transactions annually.

The primary validation and reporting requirements include:

• Level 1: Requires an annual on-site audit by a Qualified Security Assessor (QSA) and a Report on Compliance (ROC). 
• Levels 2, 3, and 4: Typically require an annual Self-Assessment Questionnaire (SAQ). Some merchants at these levels may also be required to undergo an on-site audit. 
• All Levels: May require quarterly network scans by an Approved Scanning Vendor (ASV).

What Are PCI DSS Compliance Levels? 

PCI DSS compliance levels categorize organizations based on the volume of card transactions they process annually. These levels determine the specific security and reporting requirements that an organization must meet to protect sensitive cardholder data. Each level has distinct guidelines, reflecting the potential risk posed by processing various transaction volumes. The higher the level, the greater the security demands and validation rigor required to demonstrate compliance.

Being categorized incorrectly or failing to understand one’s PCI DSS compliance level can result in organizations missing critical requirements, exposing themselves to data breaches or fines. Knowing your precise level ensures you apply the correct technical and administrative controls.

In this article:

• PCI SSC: The Authority Behind PCI Compliance Levels
• PCI DSS Levels for Merchants
• PCI DSS Levels for Service Providers
• How to Determine Your PCI DSS Compliance Level

PCI SSC: The Authority Behind PCI Compliance Levels 

The Payment Card Industry Security Standards Council (PCI SSC) is an independent body formed by major payment brands, including Visa, MasterCard, American Express, Discover, and JCB. Its primary role is to develop and manage security standards—most notably, the PCI Data Security Standard (PCI DSS)—to secure cardholder data and guide organizations handling payment cards. The Council also maintains supplemental standards, training, and resources to help organizations implement best practices.

PCI SSC does not directly enforce compliance; instead, it provides the framework and standards, while enforcement is handled by the individual payment brands and acquiring banks. The Council continuously updates PCI DSS in response to emerging threats, technological advances, and feedback from stakeholders.

PCI DSS Levels for Merchants 

PCI DSS categorizes merchants into 4 compliance levels, based on the number of transactions they carry out and other criteria. Here is a comparison table summarizing the key differences between merchant compliance levels. See more details below.

{{travel-table-4="/guides-comp"}}

PCI DSS Level 1

Level 1 merchants process more than 6 million Visa or Mastercard transactions annually across all channels (eCommerce, retail, mail order/telephone order). This level also includes merchants of any volume that have suffered a data breach or are classified as high risk by a payment brand.

To validate compliance, Level 1 merchants must undergo an annual onsite assessment conducted by a Qualified Security Assessor (QSA) or an internal auditor, provided the report is signed by an officer of the company. The result is a detailed Report on Compliance (ROC) that documents how the merchant meets all PCI DSS requirements.

In addition to the ROC, Level 1 merchants must:

• Submit an Attestation of Compliance (AOC)
• Undergo quarterly network scans by an Approved Scanning Vendor (ASV)
• Perform annual penetration testing of network and applications
• Maintain documentation of security policies, procedures, and risk assessments
• Demonstrate evidence of security training and incident response planning

PCI DSS Level 2

Level 2 is designated for merchants processing between 1 million and 6 million Visa or Mastercard transactions annually, regardless of the transaction channel. These merchants face lower validation demands than Level 1, but compliance requirements remain substantial.

Validation for Level 2 generally includes:

• Completing an annual Self-Assessment Questionnaire (SAQ) appropriate to the business model (e.g., SAQ D for complex environments)
• Conducting quarterly ASV scans
• Submitting an AOC signed by an officer of the organization

In some cases, acquiring banks may require Level 2 merchants to perform a full ROC instead of an SAQ, especially if past security issues or inconsistencies are found.

PCI DSS Level 3

Level 3 merchants process 20,000 to 1 million Visa e-commerce transactions annually. This level is specific to online transaction volume, not total card activity across other channels.

Compliance validation requirements include:

• Completion of the appropriate SAQ (often SAQ A or A-EP, depending on the technical environment)
• Quarterly ASV vulnerability scans
• Submission of a signed AOC

Level 3 merchants are typically small to medium-sized eCommerce businesses with a relatively straightforward cardholder data environment. However, since eCommerce platforms are frequent targets for cyberattacks, PCI DSS expects these merchants to ensure adequate segmentation, secure web hosting, regular software updates, and strong authentication measures.

PCI DSS Level 4

Level 4 is for merchants processing fewer than 20,000 Visa e-commerce transactions annually, or up to 1 million Visa transactions annually from all channels combined. These are usually small businesses or sole proprietors.

Although PCI SSC defines the baseline requirements, acquiring banks have discretion in how they enforce compliance at this level. 

Typical validation steps include:

• Completing an annual SAQ (most often SAQ A or B for basic setups)
• Possibly conducting quarterly ASV scans, depending on how card data is handled
• Submitting an AOC if required by the acquirer

Although the scale of Level 4 merchants is smaller, they still face a significant risk of being compromised due to limited resources and technical expertise. As a result, payment brands and acquiring banks often offer additional support, tools, and incentives to help these merchants achieve compliance.

PCI DSS Levels for Service Providers 

PCI DSS categorizes service providers into two levels based on the volume of transactions they process or support and the risk they represent. These levels define the extent of compliance validation required.

Level 1 Service Providers

Level 1 applies to service providers that:

• Store, process, or transmit more than 300,000 card transactions annually
• Are designated as Level 1 by a payment brand or acquiring bank, regardless of volume

‍

To validate compliance, Level 1 service providers must:

• Undergo an annual onsite assessment conducted by a Qualified Security Assessor (QSA), resulting in a full Report on Compliance (ROC)
• Complete an Attestation of Compliance (AOC)
• Conduct quarterly external vulnerability scans by an Approved Scanning Vendor (ASV)
• Perform internal and external penetration testing annually
• Maintain and test incident response and security awareness training programs

‍

Level 2 Service Providers

Level 2 includes service providers processing fewer than 300,000 card transactions annually and not otherwise designated as Level 1.

These providers must:

• Complete an annual Self-Assessment Questionnaire (SAQ D)
• Perform quarterly ASV scans
• Submit a signed AOC

While Level 2 service providers are subject to less rigorous validation, they are still required to meet all applicable PCI DSS requirements in full. Acquiring banks may require a ROC instead of an SAQ if higher risk is identified or security history warrants closer scrutiny.

How to Determine Your PCI DSS Compliance Level 

To determine your PCI DSS compliance level, start by identifying your organization's role in the payment ecosystem—either as a merchant or service provider. Then, calculate the total number of Visa and Mastercard transactions your organization processes annually. This total should include all channels: in-store, online, and mail/telephone orders.

Merchants should classify themselves based on transaction volume thresholds defined by the card brands. For example, processing over 6 million transactions annually categorizes a merchant as Level 1. Similarly, service providers should assess whether they handle more than 300,000 transactions or have been designated as high-risk by a payment brand, which places them in Level 1.

In some cases, your acquiring bank or payment brand may assign a higher level based on factors such as breach history, business model complexity, or perceived risk. These entities have final authority in determining your compliance level, and their guidance should be followed even if transaction volumes suggest a lower level.

If your organization operates in multiple roles (e.g., both merchant and service provider), you must assess compliance separately for each. Once you identify your level, use it to align your validation efforts—whether through a self-assessment questionnaire or an independent audit—to meet all PCI DSS requirements applicable to your classification.

Automating PCI DSS Compliance with Anecdotes.ai

Anecdotes’ AI-native GRC platform empowers you to automate the collection of even the most complex evidence from your tech stack, and monitor your environment to confidently meet the requirements of PCI-DSS.

Scoping Your CDE

PCI-DSS is designed to help companies avoid risks by securely handling their Cardholder Data Environments (CDE). A common challenge in this process is accurately scoping the relevant components of the CDE, an effort that often demands significant resources. The Anecdotes platform addresses this challenge head-on with data solutions that include scoping management, providing detailed and granular control over the CDE you're monitoring.

Attest to SAQs With Complete Confidence

PCI Self-Assessment Questionnaires (SAQs) are commonly required from merchants and service providers who handle card payments. To self-attest to these questionnaires confidently and accurately, relying solely on sporadic human-powered workflows is insufficient. Continuous monitoring of your PCI environment is crucial to ensure your responses are comprehensive and free from blind spots. The Anecdotes platform provides data-based automation and out-of-the-box cross-mapping to SAQs, offering a dependable and trustworthy solution.

To learn more, visit Anecdotes.ai 

‍