PCI DSS Levels Explained: Level 1, 2, 3 & 4 Merchant Tiers

The PCI DSS levels (also called merchant levels or PCI levels) are four tiers that determine how a merchant validates compliance with the Payment Card Industry Data Security Standard. They're set by transaction volume: Level 1 is over 6 million card transactions a year and needs a full on-site audit by a Qualified Security Assessor, Level 2 is 1 to 6 million, Level 3 is 20,000 to 1 million e-commerce transactions, and Level 4 is everything below that. Every level has to meet the same 12 PCI DSS requirements — the level only changes how you prove it. A breach can bump any merchant straight up to Level 1 regardless of volume.

The PCI DSS levels matter mainly because they decide your validation cost and effort, not what security controls you have to put in place. A Level 1 audit by a QSA typically runs £30,000 to £80,000 a year and produces a signed Report on Compliance. A Level 4 merchant fills in the right Self-Assessment Questionnaire and submits an Attestation of Compliance — much lighter, but the underlying controls are identical. The merchant levels are published by Visa and broadly mirrored by Mastercard, Amex, Discover and JCB; your acquiring bank confirms which one applies to you. Service providers sit on their own scale: Level 1 SP is 300,000+ transactions a year and gets the same QSA-led audit as a Level 1 merchant. The fastest way to make your level easier to live with is to cut scope — moving telephone payments out of your environment with DTMF masking can drop a Level 2 merchant onto a much shorter SAQ even though their transaction volume hasn't changed.

What Are PCI DSS Merchant Levels?

PCI DSS merchant levels are a classification system used by the major card brands — Visa, Mastercard, American Express, and Discover — to determine what type of compliance validation a merchant must complete. The level a business is assigned depends primarily on the volume of card transactions it processes each year.

The higher the transaction volume, the more rigorous the validation requirements. But here's the part that catches people out: every merchant at every level must comply with the full PCI DSS standard. The levels only determine how that compliance is verified — not which requirements apply. A Level 4 corner shop and a Level 1 supermarket chain both have to meet all 12 PCI DSS requirements. The difference is the chain pays a QSA tens of thousands of pounds to prove it, and the corner shop fills in a questionnaire.

It's also worth being clear on what counts as a "transaction." PCI DSS counts the volume of card transactions processed under a single tax ID (so a multi-brand group can't game its level by spreading transactions across trading names). That includes refunds, voids, and authorisations that don't settle — not just successful sales. If you process 5.5 million sales and 600,000 refunds, you're over the 6 million Level 1 threshold.

The Four Merchant Levels

Level 1

Level 1 applies to merchants processing over 6 million card transactions per year across all channels, or any merchant that has suffered a data breach resulting in card data compromise. Level 1 merchants must:

• Complete an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA)
• Submit quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
• Complete an Attestation of Compliance (AOC)
• Maintain evidence of ongoing compliance between annual audits (PCI DSS v4.0.1 makes this much more explicit than v3.2.1 did)

This is the most demanding level. The on-site assessment by a QSA is thorough and examines every aspect of the cardholder data environment. A typical ROC for a mid-size retailer takes 8 to 16 weeks from kick-off to signed report. The QSA samples systems, interviews staff, reviews policies, checks network diagrams against reality, observes key processes (like card data destruction), and tests controls. Expect somewhere between 200 and 600 evidence items depending on scope.

Cost varies hugely. A Level 1 ROC for a single-environment SaaS business with tight scope might come in at £30,000. A Level 1 ROC for a high-street retail group with multiple call centres, hundreds of stores, e-commerce, mobile, and a loyalty programme can easily clear £150,000 once remediation work, internal staff time, and ASV scanning fees are added in. Large retailers, major e-commerce platforms, and payment service providers typically fall into this category.

Level 2

Level 2 applies to merchants processing between 1 million and 6 million transactions per year. These merchants must:

• Complete an annual Self-Assessment Questionnaire (SAQ) — usually SAQ D for any merchant with a non-trivial cardholder data environment
• Submit quarterly ASV scans
• Complete an AOC signed by an officer of the business

Mastercard has historically required Level 2 merchants to engage a QSA or have an Internal Security Assessor (ISA) sign off the SAQ. Visa doesn't always insist, but some acquiring banks impose the same requirement, particularly if the merchant has a complex cardholder data environment or has experienced previous compliance issues. In practice, many Level 2 merchants end up with something that looks a lot like a Level 1 assessment — they fill out an SAQ D rather than a ROC, but a QSA is still in the building.

Level 3

Level 3 applies to merchants processing between 20,000 and 1 million e-commerce transactions per year. The requirements are the same as Level 2 — an annual SAQ, quarterly ASV scans, and an AOC. This level specifically targets online merchants with moderate transaction volumes.

One quirk of Level 3: it's defined by e-commerce volume specifically. A business with 800,000 in-store transactions but only 15,000 online transactions would not be Level 3 — it'd be Level 4 (or Level 2 if the in-store volume pushed total card-present transactions across the relevant threshold, depending on card brand). Always check Visa's published thresholds rather than going by memory, because the rules have moved over the years.

Level 4

Level 4 is the most common level, covering merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year through other channels. Requirements include:

• Complete the appropriate annual SAQ (which SAQ depends on how you take payments — see below)
• Quarterly ASV scans (if applicable to the SAQ type — SAQ A and SAQ C-VT skip scans, SAQ D does not)
• An AOC

Most small and medium-sized businesses fall into Level 4. The validation requirements are less intensive, but the underlying PCI DSS requirements are exactly the same. The biggest risk for Level 4 merchants isn't the audit — it's getting the SAQ type wrong. Picking SAQ A when you should have been on SAQ D-MER is a common mistake, and acquirers don't always catch it. If you have a breach and your AOC was signed against the wrong SAQ, you can lose the safe-harbour protection it would have given you.

How Levels Are Determined

Each card brand sets its own thresholds, and they can differ slightly. The figures above are based on Visa's definitions, which are the most widely referenced. Mastercard uses similar thresholds but counts transactions differently for some merchant types (for example, recurring billing transactions get treated differently). Amex and Discover broadly track Visa's bands but have their own programme names — Amex calls Level 1 "Level 1" but ties it to USD 2.5 million in Amex-branded volume rather than 6 million transactions.

The result is that a business can technically be Level 2 with Visa and Level 1 with Amex if its mix of card brands tips that way. In practice, you take the highest level you're assigned across all brands and meet those requirements — there's no point doing two different validation paths in parallel.

Your acquiring bank is ultimately responsible for telling you which level applies to your business. They consider your total transaction volume across all payment channels — in-store, online, telephone, and mobile. If you are unsure of your level, your acquirer is the first point of contact. If you have multiple acquirers (some larger merchants split processing between two or three), the highest applicable level wins.

The 12-Month Counting Window

Levels are based on a rolling 12-month window of transactions. You don't drop a level the day after a busy peak — you have to sustain lower volume across a full year. Conversely, you can be bumped up mid-year if a 12-month rolling count crosses a threshold. Most acquirers run this calculation once a year at programme renewal, but card brands can intervene at any time.

What Happens If Your Level Changes

Merchant levels are not static. If your transaction volume grows and crosses a threshold, you will be reclassified to a higher level. This typically means more rigorous validation — potentially moving from self-assessment to a full on-site audit by a QSA.

A practical example: an online retailer doing 850,000 e-commerce transactions a year files an SAQ A every year and pays a few hundred pounds for ASV scans. They launch a successful marketing campaign, sales jump 40%, and they finish the year at 1.2 million transactions. At their next acquirer review, they're moved to Level 2 and asked to file an SAQ D. The SAQ D has 329 requirements (against SAQ A's 22). The merchant now needs to compile evidence for hundreds of controls they've never documented. Most businesses underestimate how much internal effort this takes — six months is a realistic timeline for a first SAQ D if you're starting from scratch.

Level changes can also be triggered by security events. If your business suffers a data breach, the card brands can immediately escalate you to Level 1 regardless of your transaction volume. This escalation usually comes with a requirement for a forensic investigation by a PCI Forensic Investigator (PFI) and a remediation plan before you can return to normal processing. We've seen Level 4 merchants — small businesses doing maybe 10,000 transactions a year — get hit with a breach and find themselves staring at a Level 1 audit programme that costs more than their annual profit. There's no proportionality clause in the card brand rules.

Mergers and Acquisitions

If you buy a business, you inherit their PCI level (or yours, whichever is higher). Acquiring a business that's been at Level 4 for years doesn't reset the clock — if their combined transaction volume with yours puts the merged entity at Level 2, you're at Level 2 from day one. This catches buyers out regularly during due diligence. The same goes for breach history: if the target has had a card data breach in the last 12 months, that history follows the merged entity.

Levels for Service Providers

Service providers — companies that process, store, or transmit card data on behalf of other businesses — have a separate two-tier classification system:

• Level 1: Providers that store, process, or transmit more than 300,000 transactions per year. Must complete an annual ROC by a QSA.
• Level 2: Providers handling fewer than 300,000 transactions per year. Must complete an annual SAQ-D for service providers and quarterly ASV scans.

Service providers are held to a higher standard than merchants at equivalent volumes because a breach at a service provider can affect many merchants simultaneously. A single breach at a Level 1 service provider can hit thousands of merchant clients in one go — the 2008 Heartland Payment Systems breach exposed 130 million card numbers across thousands of merchants from a single compromise. That's why service provider Level 1 kicks in at 300,000 transactions rather than 6 million.

Service providers also have to be listed on the Visa Global Registry of Service Providers (or Mastercard's equivalent) to give their merchant customers confidence that they're validated. If you're a merchant using a third party to handle cardholder data, asking for their Visa registry listing is the quickest way to confirm they're really compliant rather than just claiming it.

Telephone Payments and Merchant Levels

Telephone payments count towards your total transaction volume just like any other channel. If your business takes a significant proportion of payments over the phone, those transactions contribute to determining your merchant level.

More importantly, telephone payment environments can substantially increase your PCI DSS scope. Agent workstations, call recordings, telephony infrastructure, and network segments that carry voice data may all come into scope. This complexity can make compliance validation more burdensome — regardless of your merchant level. A Level 4 merchant with a call centre often ends up with a harder PCI DSS scope to defend than a Level 2 merchant who takes everything online through a tokenised gateway.

The reason is that traditional call-centre payment handling spreads cardholder data across a much wider footprint. The agent hears the card number. It's spoken over a voice channel that may traverse SIP trunks, session border controllers, voice gateways, and call recording servers. The agent types it into a payment screen. The PC, the network segment behind it, and any screen recording all touch card data. PCI DSS demands you protect every one of those components — encrypt the storage, segment the network, log access, restrict admin rights, and so on.

By descoping the telephone payment environment using technologies like DTMF masking, businesses can simplify their compliance validation significantly, often qualifying for a simpler SAQ type even at higher merchant levels. The card data never reaches the agent or the agent's PC — the customer keys it on their own phone, the tones are masked before they reach the call recording, and the digits go directly to the payment processor. The agent stays on the call but never sees the PAN. That removes the call centre from PCI scope almost entirely.

How the Levels Compare

The differences between the levels are about effort, cost, and frequency of external scrutiny — not about which rules apply.

Level	Volume	Validation	Annual cost (typical)	External assessor required?
Level 1	6m+	ROC by QSA	£30k–£150k+	Yes — QSA on site
Level 2	1m–6m	SAQ D (often QSA-assisted)	£10k–£40k	Sometimes — depends on brand and bank
Level 3	20k–1m e-com	SAQ (type depends on setup)	£2k–£15k	No, but ASV scans needed
Level 4	Below Level 3	SAQ (type depends on setup)	£500–£5k	No

Cost ranges assume the merchant already has reasonable security hygiene. Add remediation costs on top if the assessment exposes gaps — and it usually does on a first audit.

PCI DSS v4.0.1 and the Levels

PCI DSS v4.0.1 is the current version of the standard, in force since June 2024. The merchant level system didn't change — the thresholds, the SAQ requirement for each level, and the QSA requirement for Level 1 are all still as they were under v3.2.1. What did change is the underlying control set, and that affects every level the same way.

The big v4.0.1 changes that hit Level 1 merchants hardest are the new requirements around customised approach (you can now design your own controls to meet a requirement's stated objective, but you have to document the threat model and have the QSA approve it), targeted risk analysis (Requirement 12.3.1 requires a documented risk analysis for any PCI DSS requirement you implement using a frequency you've chosen yourself), and the heavily tightened authentication rules (Requirement 8.3.6 forces 12-character passwords or 8-character passwords with MFA). Level 4 merchants on SAQ A are less affected because most of those control changes don't apply to fully outsourced e-commerce setups.

The 31 March 2025 deadline for the "future-dated" v4 requirements has now passed — every level is meant to be fully on v4.0.1 by mid-2026. If your last QSA-led audit was completed under v3.2.1, your next one will be the first against the full v4.0.1 control set. Plan for it taking longer than the previous year's audit did.

Common Failure Modes

Filing the wrong SAQ

The single most common Level 4 mistake. A merchant signs SAQ A because their website hands off to a hosted payment page, but they didn't realise their staff also take phone payments and key them into the same gateway's virtual terminal. That's SAQ C-VT territory, and depending on call recording, possibly SAQ D. The AOC signed against SAQ A is invalid for the phone channel, and any breach involving phone payments would void any safe-harbour protection.

Treating the level as the security ceiling

Level 4 merchants sometimes assume "we're Level 4, so we don't need to do much." The level is about validation, not about controls. A Level 4 merchant who's compromised because they didn't patch their server still owes the same fines, forensic costs, and card brand penalties as a Level 1 would.

Not tracking volume across acquirers

If you have two acquiring relationships — say one for in-store and one for online — the level is determined by combined volume under your tax ID, not by each acquirer separately. Each acquirer may class you as Level 3 in isolation, but combined you might be Level 2. Either acquirer can ask for that calculation. Don't be caught out.

Forgetting the breach trigger

Some boards treat PCI compliance as a Level 4 budget line because they assume a small business can't be hit. Card data breaches are increasingly opportunistic — attackers scrape lists of small e-commerce sites running outdated CMS plugins and harvest cards by the thousand. A small retailer gets breached, gets reclassified to Level 1, and the next year's PCI bill is more than the company makes in profit. The cheap insurance is reducing scope before the breach happens.

Misreading "transactions" as "sales"

Transactions includes refunds, voids, and authorisations that don't settle. A business with high refund rates (think fashion e-commerce with 30%+ returns) can be one level higher than the sales figures suggest. Count what your acquirer counts.

Best Practice: Cut Scope Before You Cut Costs

The biggest lever any merchant has on their PCI DSS workload is scope. Scope is the set of systems, people, and processes that store, process, or transmit cardholder data — plus anything connected to them. The bigger the scope, the more controls you need, the longer the audit, the higher the bill.

Cutting scope means reducing what touches cardholder data. The standard techniques work across every level:

• Outsource where you can. Use a hosted payment page so the cardholder data never touches your servers. That's the difference between SAQ A and SAQ D.
• Tokenise everything that has to stay in-house. If you need to store something to support recurring billing or refunds, store a token from your gateway, not the PAN itself.
• Segment your network. Anything that doesn't need to talk to the cardholder data environment shouldn't be able to. Proper segmentation is the difference between auditing 12 servers and auditing 500.
• Take card data out of the call centre. DTMF masking moves the PAN entry from the agent to the cardholder's own phone, with the digits sent straight to the payment processor. The call centre stops being in scope for the cardholder data environment.

For a Level 4 merchant, scope cuts can mean the difference between an SAQ A (22 controls) and an SAQ D (329 controls). For a Level 1 merchant, scope cuts can knock six figures off the annual audit bill and reduce the time the QSA needs on site from weeks to days.

How Paytia Helps

We focus on the part of PCI DSS that hurts most call centres regardless of level: telephone payments. Our DTMF masking platform moves the cardholder data flow off the agent's screen and away from the call recording. Customers key their card details on their own phone keypad. The DTMF tones are masked into a flat sound before they reach the agent or any recorder, and the digits are routed straight to the payment processor.

The result is that the call centre stops being a cardholder data environment. Agents never see or hear the PAN. Call recordings can't capture it. The PC the agent is on doesn't store it. For most of our clients, that change drops their telephone payment environment off the PCI DSS scope diagram entirely, which usually means moving from SAQ D to SAQ A-EP or even SAQ A. Some clients have moved from a Level 2 SAQ D programme to a Level 2 SAQ A-EP that gets signed off in days rather than weeks. The level number didn't change — but the work behind it dropped massively.

Frequently Asked Questions

What PCI level is my business?

Your acquiring bank confirms your level. The rough rule: under 1 million total transactions a year and under 20,000 e-commerce transactions puts you at Level 4 with Visa. Between 20,000 and 1 million e-commerce transactions is Level 3. 1 to 6 million is Level 2. Over 6 million is Level 1. A breach moves you to Level 1 regardless.

Do all PCI levels have to meet the same requirements?

Yes. The 12 PCI DSS requirements apply to every merchant from Level 1 to Level 4. The level only changes how you validate compliance — annual QSA audit at Level 1, SAQ at Levels 2 through 4. The technical controls themselves are identical.

What's the difference between Level 1 and Level 4 PCI DSS?

Mainly volume and validation effort. Level 1 is for merchants doing 6 million+ card transactions a year and needs an annual on-site audit by a QSA producing a ROC. Level 4 covers most small businesses and only needs an SAQ. The PCI DSS rules they have to follow are the same.

How does a breach affect my PCI level?

The card brands can move any merchant to Level 1 immediately after a confirmed card data compromise. That usually means a forensic investigation by a PCI Forensic Investigator, a remediation plan, and an annual ROC by a QSA — sometimes for a fixed multi-year period before you can be reassessed back down.

How is a service provider PCI level different from a merchant level?

Service providers have two levels instead of four. Level 1 SP is 300,000+ transactions a year (much lower than Level 1 merchant at 6 million), and they need an annual ROC by a QSA. Level 2 SP handles fewer than 300,000 transactions and files an SAQ-D plus ASV scans. The lower threshold reflects the systemic risk — a service provider breach can hit thousands of merchants at once.

What does a Level 1 PCI audit cost?

Typically £30,000 to £80,000 a year for a single-environment merchant with reasonable hygiene. Complex retail groups with multiple call centres, stores, and digital channels can clear £150,000 once internal staff time, ASV fees, and remediation work are added in. Service provider ROCs run similarly.

Can I reduce my PCI level by changing how I take payments?

You can't reduce the level itself without reducing transaction volume — that's set by counts. But you can reduce the SAQ type within your level, and that's where most of the cost lives. Moving from SAQ D to SAQ A or SAQ A-EP by removing cardholder data from your environment is often the biggest single saving available. Phone payment descoping via DTMF masking, fully hosted e-commerce pages, and proper tokenisation are the main routes.

Do telephone payments affect my PCI level?

Yes — they count towards your transaction volume the same as any other channel. And they often blow up your PCI scope even at a low level because call recordings, agent workstations, and voice networks all come into the cardholder data environment. Descoping the phone channel with DTMF masking removes most of that complexity.

Does PCI DSS v4.0.1 change the merchant levels?

No. The level system is unchanged. v4.0.1 changes which controls you have to implement and how you document them, but the volume thresholds for Levels 1 through 4 and the validation methods (ROC vs SAQ) are the same.

Who decides what level I'm at?

Your acquiring bank, based on the card brand definitions. If you have multiple acquirers, the highest level applies. The card brands themselves can override your acquirer in exceptional circumstances — most commonly after a breach.