What Are the PCI DSS Levels?

The PCI DSS levels (also called merchant levels or PCI levels) are four tiers that determine how a merchant validates compliance with the Payment Card Industry Data Security Standard. They're set by transaction volume: Level 1 is over 6 million card transactions a year and needs a full on-site audit by a Qualified Security Assessor, Level 2 is 1 to 6 million, Level 3 is 20,000 to 1 million e-commerce transactions, and Level 4 is everything below that. Every level has to meet the same 12 PCI DSS requirements — the level only changes how you prove it. A breach can bump any merchant straight up to Level 1 regardless of volume.

The PCI DSS levels matter mainly because they decide your validation cost and effort, not what security controls you have to put in place. A Level 1 audit by a QSA typically runs £30,000 to £80,000 a year and produces a signed Report on Compliance. A Level 4 merchant fills in the right Self-Assessment Questionnaire and submits an Attestation of Compliance — much lighter, but the underlying controls are identical. The merchant levels are published by Visa and broadly mirrored by Mastercard, Amex, Discover and JCB; your acquiring bank confirms which one applies to you. Service providers sit on their own scale: Level 1 SP is 300,000+ transactions a year and gets the same QSA-led audit as a Level 1 merchant. The fastest way to make your level easier to live with is to cut scope — moving telephone payments out of your environment with DTMF masking can drop a Level 2 merchant onto a much shorter SAQ even though their transaction volume hasn't changed.

What Are PCI DSS Merchant Levels?

PCI DSS merchant levels are a classification system used by the major card brands -- Visa, Mastercard, American Express, and Discover -- to determine what type of compliance validation a merchant must complete. The level a business is assigned depends primarily on the volume of card transactions it processes each year.

The higher the transaction volume, the more rigorous the validation requirements. However, every merchant at every level must comply with the full PCI DSS standard. The levels only determine how that compliance is verified -- not which requirements apply.

The Four Merchant Levels

Level 1

Level 1 applies to merchants processing over 6 million card transactions per year across all channels, or any merchant that has suffered a data breach resulting in card data compromise. Level 1 merchants must:

• Complete an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA)
• Submit quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
• Complete an Attestation of Compliance (AOC)

This is the most demanding level. The on-site assessment by a QSA is thorough and examines every aspect of the cardholder data environment. Large retailers, major e-commerce platforms, and payment service providers typically fall into this category.

Level 2

Level 2 applies to merchants processing between 1 million and 6 million transactions per year. These merchants must:

• Complete an annual Self-Assessment Questionnaire (SAQ)
• Submit quarterly ASV scans
• Complete an AOC

Some acquiring banks may require Level 2 merchants to engage a QSA for their assessment, particularly if the merchant has a complex cardholder data environment or has experienced previous compliance issues.

Level 3

Level 3 applies to merchants processing between 20,000 and 1 million e-commerce transactions per year. The requirements are the same as Level 2 -- an annual SAQ, quarterly ASV scans, and an AOC. This level specifically targets online merchants with moderate transaction volumes.

Level 4

Level 4 is the most common level, covering merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year through other channels. Requirements include:

• Complete the appropriate annual SAQ
• Quarterly ASV scans (if applicable to the SAQ type)
• An AOC

Most small and medium-sized businesses fall into Level 4. While the validation requirements are less intensive than higher levels, the underlying PCI DSS requirements are exactly the same.

How Levels Are Determined

Each card brand sets its own thresholds, and they can differ slightly. The figures above are based on Visa's definitions, which are the most widely referenced. Mastercard uses similar thresholds but counts transactions differently for some merchant types.

Your acquiring bank is ultimately responsible for telling you which level applies to your business. They consider your total transaction volume across all payment channels -- in-store, online, telephone, and mobile. If you are unsure of your level, your acquirer is the first point of contact.

What Happens If Your Level Changes

Merchant levels are not static. If your transaction volume grows and crosses a threshold, you will be reclassified to a higher level. This typically means more rigorous validation -- potentially moving from self-assessment to a full on-site audit by a QSA.

Level changes can also be triggered by security events. If your business suffers a data breach, the card brands can immediately escalate you to Level 1 regardless of your transaction volume. This escalation usually comes with a requirement for a forensic investigation and remediation plan before you can return to normal processing.

Levels for Service Providers

Service providers -- companies that process, store, or transmit card data on behalf of other businesses -- have a separate two-tier classification system:

• Level 1 Providers that store, process, or transmit more than 300,000 transactions per year. Must complete an annual ROC by a QSA.
• Level 2 Providers handling fewer than 300,000 transactions per year. Must complete an annual SAQ-D and quarterly ASV scans.

Service providers are held to a higher standard than merchants at equivalent volumes because a breach at a service provider can affect many merchants simultaneously.

Telephone Payments and Merchant Levels

Telephone payments count towards your total transaction volume just like any other channel. If your business takes a significant proportion of payments over the phone, those transactions contribute to determining your merchant level.

More importantly, telephone payment environments can substantially increase your PCI DSS scope. Agent workstations, call recordings, telephony infrastructure, and network segments that carry voice data may all come into scope. This complexity can make compliance validation more burdensome -- regardless of your merchant level.

By descoping the telephone payment environment using technologies like DTMF masking, businesses can simplify their compliance validation significantly, often qualifying for a simpler SAQ type even at higher merchant levels.

Understanding your merchant level is the first step in planning your PCI DSS compliance strategy. It determines the validation method, the cost, and the resources you will need to allocate. Regardless of level, investing in scope reduction through secure payment technologies almost always provides a better return than investing in securing a large, complex cardholder data environment.