What Are the PCI DSS Levels?

What Are PCI DSS Merchant Levels?

PCI DSS merchant levels are a classification system used by the major card brands -- Visa, Mastercard, American Express, and Discover -- to determine what type of compliance validation a merchant must complete. The level a business is assigned depends primarily on the volume of card transactions it processes each year.

The higher the transaction volume, the more rigorous the validation requirements. However, every merchant at every level must comply with the full PCI DSS standard. The levels only determine how that compliance is verified -- not which requirements apply.

The Four Merchant Levels

Level 1

Level 1 applies to merchants processing over 6 million card transactions per year across all channels, or any merchant that has suffered a data breach resulting in card data compromise. Level 1 merchants must:

• Complete an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA)
• Submit quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
• Complete an Attestation of Compliance (AOC)

This is the most demanding level. The on-site assessment by a QSA is thorough and examines every aspect of the cardholder data environment. Large retailers, major e-commerce platforms, and payment service providers typically fall into this category.

Level 2

Level 2 applies to merchants processing between 1 million and 6 million transactions per year. These merchants must:

• Complete an annual Self-Assessment Questionnaire (SAQ)
• Submit quarterly ASV scans
• Complete an AOC

Some acquiring banks may require Level 2 merchants to engage a QSA for their assessment, particularly if the merchant has a complex cardholder data environment or has experienced previous compliance issues.

Level 3

Level 3 applies to merchants processing between 20,000 and 1 million e-commerce transactions per year. The requirements are the same as Level 2 -- an annual SAQ, quarterly ASV scans, and an AOC. This level specifically targets online merchants with moderate transaction volumes.

Level 4

Level 4 is the most common level, covering merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year through other channels. Requirements include:

• Complete the appropriate annual SAQ
• Quarterly ASV scans (if applicable to the SAQ type)
• An AOC

Most small and medium-sized businesses fall into Level 4. While the validation requirements are less intensive than higher levels, the underlying PCI DSS requirements are exactly the same.

How Levels Are Determined

Each card brand sets its own thresholds, and they can differ slightly. The figures above are based on Visa's definitions, which are the most widely referenced. Mastercard uses similar thresholds but counts transactions differently for some merchant types.

Your acquiring bank is ultimately responsible for telling you which level applies to your business. They consider your total transaction volume across all payment channels -- in-store, online, telephone, and mobile. If you are unsure of your level, your acquirer is the first point of contact.

What Happens If Your Level Changes

Merchant levels are not static. If your transaction volume grows and crosses a threshold, you will be reclassified to a higher level. This typically means more rigorous validation -- potentially moving from self-assessment to a full on-site audit by a QSA.

Level changes can also be triggered by security events. If your business suffers a data breach, the card brands can immediately escalate you to Level 1 regardless of your transaction volume. This escalation usually comes with a requirement for a forensic investigation and remediation plan before you can return to normal processing.

Levels for Service Providers

Service providers -- companies that process, store, or transmit card data on behalf of other businesses -- have a separate two-tier classification system:

• Level 1: Providers that store, process, or transmit more than 300,000 transactions per year. Must complete an annual ROC by a QSA.
• Level 2: Providers handling fewer than 300,000 transactions per year. Must complete an annual SAQ-D and quarterly ASV scans.

Service providers are held to a higher standard than merchants at equivalent volumes because a breach at a service provider can affect many merchants simultaneously.

Telephone Payments and Merchant Levels

Telephone payments count towards your total transaction volume just like any other channel. If your business takes a significant proportion of payments over the phone, those transactions contribute to determining your merchant level.

More importantly, telephone payment environments can substantially increase your PCI DSS scope. Agent workstations, call recordings, telephony infrastructure, and network segments that carry voice data may all come into scope. This complexity can make compliance validation more burdensome -- regardless of your merchant level.

By descoping the telephone payment environment using technologies like DTMF masking, businesses can simplify their compliance validation significantly, often qualifying for a simpler SAQ type even at higher merchant levels.

Understanding your merchant level is the first step in planning your PCI DSS compliance strategy. It determines the validation method, the cost, and the resources you will need to allocate. Regardless of level, investing in scope reduction through secure payment technologies almost always provides a better return than investing in securing a large, complex cardholder data environment.