What Are the PCI DSS Levels?
PCI DSS levels are four categories that classify merchants based on the number of card transactions they process each year. Level 1 is the highest, covering merchants that process over 6 million transactions annually, while Level 4 covers those processing fewer than 20,000. Each level has different compliance validation requirements.
PCI DSS Merchant Levels Explained
The Payment Card Industry Data Security Standard (PCI DSS) applies to every organisation that accepts, processes, stores or transmits card data — regardless of size. However, the way you prove your compliance depends on how many card transactions you handle each year. This is where PCI DSS levels come in.
The card schemes (Visa, Mastercard and others) define four merchant levels. The thresholds below are those used by Visa and are the most commonly referenced in the UK:
The Four Merchant Levels
Level 1 — Over 6 Million Transactions Per Year
This is the highest compliance tier. Level 1 applies to the largest merchants — major retailers, airlines, utilities and any organisation processing more than 6 million Visa transactions annually. It also includes any merchant that has suffered a data breach, regardless of transaction volume.
Level 1 merchants must complete an annual on-site assessment by a Qualified Security Assessor (QSA), producing a Report on Compliance (RoC). They must also conduct quarterly network vulnerability scans by an Approved Scanning Vendor (ASV).
Level 2 — 1 Million to 6 Million Transactions Per Year
Level 2 covers mid-to-large businesses. These merchants must complete an annual Self-Assessment Questionnaire (SAQ) — though some acquirers may still require a QSA assessment. Quarterly ASV scans are also required.
Level 3 — 20,000 to 1 Million E-Commerce Transactions Per Year
Level 3 specifically targets online merchants. If your business processes between 20,000 and 1 million e-commerce transactions per year, you fall into this category. The requirements are an annual SAQ and quarterly ASV scans.
Level 4 — Fewer Than 20,000 E-Commerce or Up to 1 Million Total Transactions Per Year
Level 4 covers the vast majority of small and medium-sized businesses. While the compliance validation requirements are lighter — typically an annual SAQ and potentially ASV scans — the actual PCI DSS security requirements still apply in full. Being Level 4 does not mean you can ignore security; it means the way you prove compliance is simpler.
What Determines Your Level?
Your PCI DSS level is based on the total number of card transactions you process across all channels (in-store, online, by phone) over a 12-month period. Your acquiring bank typically determines your level and tells you what validation is required. Important factors include:
- Transaction volume across all channels — not just online.
- Card scheme rules — Visa and Mastercard have slightly different thresholds.
- Breach history — any merchant that has been compromised can be escalated to Level 1 regardless of volume.
SAQ vs QSA Assessment
The main difference between levels is how compliance is validated. Lower levels can self-assess using a Self-Assessment Questionnaire (SAQ), of which there are several types depending on how you accept payments. Higher levels require a formal on-site audit by an independent Qualified Security Assessor.
Regardless of your level, the goal is the same: protect cardholder data and reduce the risk of a breach.
Paytia is certified to PCI DSS Level 1, the highest standard of compliance. This means Paytia has undergone a full on-site assessment by a Qualified Security Assessor and meets every one of the rigorous security controls required at that tier.
When you process telephone payments through Paytia, your card data is handled entirely within Paytia's Level 1 certified environment. Your own systems never touch the sensitive data, which means your PCI DSS scope is dramatically reduced. For many businesses, this descoping means you can validate your compliance with a much simpler SAQ — often SAQ A — rather than the more demanding questionnaires that apply when you handle card data yourself.
In practical terms, using Paytia can move your business from needing to comply with hundreds of PCI DSS controls to just a handful, saving time, money and complexity regardless of which merchant level applies to you.
Frequently Asked Questions
Which PCI DSS level applies to my business?
Your level is determined by the number of card transactions you process per year across all channels. Most small and medium-sized businesses fall under Level 4 (fewer than 20,000 e-commerce transactions or up to 1 million total transactions). Your acquiring bank can confirm your exact level.
Does being Level 4 mean I do not need to comply with PCI DSS?
No. All four levels must comply with the full PCI DSS requirements. The difference is in how you validate that compliance. Level 4 merchants typically self-assess using a questionnaire, while Level 1 merchants require a formal on-site audit. The security standards themselves apply equally to everyone.
Can my PCI DSS level change?
Yes. If your transaction volume increases and crosses a threshold, you may move to a higher level with stricter validation requirements. Additionally, if your business suffers a data breach, your acquirer can escalate you to Level 1 regardless of your transaction volume.
See how Paytia handles pci dss levels
Book a personalised demo and we'll show you how our platform works with your setup.
Request a Demo