PCI DSS Compliance Levels Explained

Why Compliance Levels Exist

Not every business processes the same volume of card transactions, and it wouldn't make sense to impose identical validation requirements on a corner shop and a national supermarket chain. That's why PCI DSS uses a tiered system of compliance levels. Your level is determined primarily by the number of card transactions you process annually, and it dictates how rigorously you need to demonstrate compliance.

There are four compliance levels, numbered 1 through 4. Level 1 is the highest, requiring the most rigorous validation. Level 4 is the lowest, with lighter-touch requirements. Most small and mid-sized businesses fall into Level 3 or Level 4, which means they can validate compliance through a Self-Assessment Questionnaire (SAQ) rather than a formal on-site audit.

Understanding your compliance level is one of the first things you should do when approaching PCI DSS. It tells you what validation you need, how much it's likely to cost, and what resources you'll need to allocate. Let's break down each level.

The Four Compliance Levels

Level 1 — Over 6 Million Transactions Per Year

Level 1 applies to the largest merchants — those processing more than 6 million card transactions annually across all channels (in-store, online, telephone, and any other method combined). This includes major retailers, airlines, hotel chains, and large e-commerce platforms.

Level 1 validation requirements are the most stringent:

• Annual on-site assessment conducted by a Qualified Security Assessor (QSA), resulting in a Report on Compliance (RoC)
• Quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV)
• Annual penetration testing
• Attestation of Compliance (AoC) submitted to the acquiring bank

The cost of Level 1 compliance is substantial. A QSA assessment alone can cost anywhere from £30,000 to £100,000 or more, depending on the complexity of the cardholder data environment. Add in the costs of remediation, security tools, and internal resources, and total compliance costs for Level 1 merchants often run into six figures annually.

Level 2 — 1 Million to 6 Million Transactions Per Year

Level 2 covers mid-sized merchants processing between 1 million and 6 million transactions annually. Regional retail chains, established e-commerce businesses, and medium-sized service providers typically fall into this bracket.

Level 2 validation requirements include:

• Annual Self-Assessment Questionnaire (SAQ) — though some acquiring banks may still require a QSA assessment
• Quarterly ASV network vulnerability scans
• Attestation of Compliance (AoC)

The practical difference from Level 1 is that most Level 2 merchants can self-assess rather than hiring a QSA. However, your acquiring bank has the final say — some banks require Level 2 merchants to engage a QSA, particularly if there's been a previous security incident.

Level 3 — 20,000 to 1 Million E-Commerce Transactions Per Year

Level 3 is specifically focused on e-commerce merchants processing between 20,000 and 1 million online transactions annually. This level was designed to address the particular risks associated with internet-facing payment systems.

If your business primarily takes payments in person or by phone, Level 3 typically wouldn't apply based on e-commerce volume alone — you'd more likely fall into Level 4 based on your total transaction count.

Validation requirements for Level 3:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly ASV network vulnerability scans
• Attestation of Compliance (AoC)

Level 4 — Fewer Than 20,000 E-Commerce Transactions or Up to 1 Million Total Transactions Per Year

Level 4 is where the majority of businesses sit. If you process fewer than 20,000 e-commerce transactions annually, or up to 1 million total transactions across all channels, you're a Level 4 merchant. This covers most small businesses, independent retailers, professional services firms, charities, and small contact centres.

Level 4 validation requirements are the lightest:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly ASV network vulnerability scans (recommended, and often required by acquiring banks)
• Attestation of Compliance (AoC)

Don't mistake "lightest" for "optional." Level 4 merchants are still fully bound by PCI DSS. The 12 requirements still apply. The difference is in how you prove compliance — through self-assessment rather than external audit.

How Transaction Counts Are Calculated

A common source of confusion is how transactions are counted. Here are some important details:

• Each individual transaction counts — if a customer buys three items in separate transactions, that's three transactions, not one
• All card brands are combined — you add up Visa, Mastercard, Amex, and any other card brand transactions together
• All channels are combined for Level 1 and 2 — online, in-store, telephone, and mail order transactions are totalled
• E-commerce is counted separately for Level 3 — this threshold specifically measures online transactions
• Refunds and chargebacks typically count as they still involve transmitting card data

Your acquiring bank is the ultimate authority on your compliance level. If you're unsure, ask them directly. They'll be able to tell you your classification based on their records of your transaction volume.

What Happens When Your Level Changes

Compliance levels aren't permanent. As your business grows and transaction volumes increase, you may be reclassified to a higher level. Similarly, if volumes decrease, you might move to a lower level — though this is less common and banks tend to be conservative about downgrading.

There are also situations where you can be moved up regardless of volume:

• After a data breach — card brands or your acquiring bank can escalate you to Level 1, requiring a full QSA assessment, regardless of how many transactions you process
• At the acquiring bank's discretion — if your bank has concerns about your security posture, they can require more rigorous validation
• Card brand mandates — Visa, Mastercard, and others can designate specific merchants for enhanced monitoring at any time

This is an important point: compliance levels determine the minimum validation. Your acquiring bank can always require more.

Compliance Levels for Service Providers

The levels we've discussed so far apply to merchants — businesses that accept card payments. Service providers — companies that store, process, or transmit cardholder data on behalf of merchants — have their own classification:

• Level 1 service providers process more than 300,000 transactions per year, or are designated by a card brand. They must undergo an annual QSA assessment and produce a Report on Compliance.
• Level 2 service providers process fewer than 300,000 transactions per year. They can complete an annual SAQ and quarterly ASV scans.

When evaluating payment solutions, always verify that your provider maintains appropriate PCI DSS compliance. For example, Paytia is validated as a PCI DSS Level 1 service provider, which means it undergoes the most rigorous annual assessment — giving its clients confidence that the platform meets the highest security standards.

The Relationship Between Levels and SAQs

Your compliance level tells you how to validate. Your SAQ type tells you what to validate. They work together.

A Level 4 merchant who has fully outsourced card processing might complete SAQ A (22 questions) once a year. A Level 4 merchant who stores card data on their own servers would need SAQ D (326 questions). Both are Level 4, but their compliance workload is vastly different because of how they handle card data.

This is why descoping — reducing the number of systems that touch card data — is so valuable. It doesn't change your compliance level, but it can dramatically simplify your SAQ. We cover SAQ types in detail in Guide 4 and descoping strategies in Guide 5.

Key Takeaways

• There are four compliance levels for merchants, based on annual card transaction volume — Level 1 (over 6 million) through Level 4 (up to 1 million total or under 20,000 e-commerce)
• Most small and mid-sized businesses are Level 4, validating compliance through annual Self-Assessment Questionnaires rather than on-site audits
• Your acquiring bank determines your level and can require more rigorous validation than the minimum — especially after a data breach
• Service providers have a separate two-level system — always check that your payment providers maintain appropriate PCI DSS validation
• Your level determines how you validate; your SAQ type determines what you validate — reducing scope through descoping simplifies the "what" regardless of your level
• All levels require full PCI DSS compliance — the difference is in the rigour of validation, not in whether the requirements apply