Module 3: PCI Compliance Levels Explained

For the formal definition see PCI DSS Levels. This module is the learn-by-doing version.

If you process card payments, the PCI DSS rulebook applies — but how strictly depends on your transaction volume. A florist taking 200 card payments a year doesn't face the same validation burden as a supermarket chain taking millions. That's what compliance levels are for — matching audit rigour to the size of the risk.

This guide reflects PCI DSS v4.0.1, the current version of the standard. The 31 March 2025 deadline for the new requirements has passed — every requirement is now in force.

PCI DSS compliance levels are four tiers — numbered 1 through 4 — that determine how a merchant must validate compliance with the Payment Card Industry Data Security Standard. The level depends on annual card transaction volume: Level 1 covers merchants processing more than 6 million transactions per year and requires a full on-site audit by a Qualified Security Assessor; Level 2 covers 1 to 6 million; Level 3 covers 20,000 to 1 million e-commerce transactions; Level 4 covers fewer than 20,000 e-commerce or under 1 million other transactions, and is validated through a Self-Assessment Questionnaire.

The PCI DSS compliance levels — sometimes called merchant levels or PCI levels — were created so that validation effort scales with transaction volume. A Level 1 merchant faces a full Report on Compliance (RoC) signed off by a Qualified Security Assessor (QSA), often costing tens of thousands of pounds and taking months. A Level 4 merchant can usually self-attest with a Self-Assessment Questionnaire in an afternoon. Service providers run on a separate scale — anyone handling more than 300,000 card transactions a year sits at Level 1 service provider, with audit requirements similar to a Level 1 merchant.

Why Compliance Levels Exist

It wouldn't make sense to impose the same validation requirements on a corner shop and a national supermarket chain, so PCI DSS uses a tiered system. Your level is set primarily by how many card transactions you process each year, and it dictates how rigorously you have to demonstrate compliance.

There are four compliance levels, numbered 1 through 4. Level 1 is the highest, requiring the most rigorous validation. Level 4 is the lowest, with lighter-touch requirements. Most small and mid-sized businesses fall into Level 3 or Level 4, which means they can validate compliance through a Self-Assessment Questionnaire (SAQ) rather than a formal on-site audit.

Working out your compliance level is one of the first things to do when you start on PCI DSS. It tells you what validation you need, what it's likely to cost, and what resources you'll need. Here's how the four levels break down.

The Four Compliance Levels

Level 1 — Over 6 Million Transactions Per Year

Level 1 applies to the largest merchants — those processing more than 6 million card transactions annually across all channels (in-store, online, telephone, and any other method combined). This includes major retailers, airlines, hotel chains, and large e-commerce platforms.

Level 1 validation requirements are the most stringent:

• Annual on-site assessment conducted by a Qualified Security Assessor (QSA), resulting in a Report on Compliance (RoC)
• Quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV)
• Annual penetration testing
• Attestation of Compliance (AoC) submitted to the acquiring bank

Level 1 compliance isn't cheap. A QSA assessment alone runs from £30,000 to £100,000+ depending on the complexity of the cardholder data environment. Add remediation, security tools, and internal time, and total annual spend for Level 1 merchants often lands in six figures.

Level 2 — 1 Million to 6 Million Transactions Per Year

Level 2 covers mid-sized merchants processing between 1 million and 6 million transactions annually. Regional retail chains, established e-commerce businesses, and medium-sized service providers typically fall into this bracket.

Level 2 validation requirements include:

• Annual Self-Assessment Questionnaire (SAQ) — though some acquiring banks may still require a QSA assessment
• Quarterly ASV network vulnerability scans
• Attestation of Compliance (AoC)

The practical difference from Level 1 is that most Level 2 merchants can self-assess instead of hiring a QSA. But your acquiring bank has the final say. Some banks still require Level 2 merchants to engage a QSA, especially if there's been a previous security incident.

Level 3 — 20,000 to 1 Million E-Commerce Transactions Per Year

Level 3 is specifically focused on e-commerce merchants processing between 20,000 and 1 million online transactions annually. This level was designed to address the particular risks associated with internet-facing payment systems.

If your business primarily takes payments in person or by phone, Level 3 typically wouldn't apply based on e-commerce volume alone — you'd more likely fall into Level 4 based on your total transaction count.

Validation requirements for Level 3:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly ASV network vulnerability scans
• Attestation of Compliance (AoC)

Level 4 — Fewer Than 20,000 E-Commerce Transactions or Up to 1 Million Total Transactions Per Year

Level 4 is where the majority of businesses sit. If you process fewer than 20,000 e-commerce transactions annually, or up to 1 million total transactions across all channels, you're a Level 4 merchant. This covers most small businesses, independent retailers, professional services firms, charities, and small contact centres.

Level 4 validation requirements are the lightest:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly ASV network vulnerability scans (recommended, and often required by acquiring banks)
• Attestation of Compliance (AoC)

Don't mistake "lightest" for "optional." Level 4 merchants are still fully bound by PCI DSS. The 12 requirements still apply. The difference is in how you prove compliance — through self-assessment rather than external audit.

How Transaction Counts Are Calculated

A common source of confusion is how transactions are counted. Here are some important details:

• Each individual transaction counts — if a customer buys three items in separate transactions, that's three transactions, not one
• All card brands are combined — you add up Visa, Mastercard, Amex, and any other card brand transactions together
• All channels are combined for Level 1 and 2 — online, in-store, telephone, and mail order transactions are totalled
• E-commerce is counted separately for Level 3 — this threshold specifically measures online transactions
• Refunds and chargebacks typically count as they still involve transmitting card data

Your acquiring bank is the ultimate authority on your compliance level. If you're unsure, ask them directly. They'll be able to tell you your classification based on their records of your transaction volume.

What Happens When Your Level Changes

Compliance levels aren't permanent. As your business grows and transaction volumes increase, you may be reclassified to a higher level. Similarly, if volumes decrease, you might move to a lower level — though this is less common and banks tend to be conservative about downgrading.

There are also situations where you can be moved up regardless of volume:

• After a data breach — card brands or your acquiring bank can escalate you to Level 1, requiring a full QSA assessment, regardless of how many transactions you process
• At the acquiring bank's discretion — if your bank has concerns about your security posture, they can require more rigorous validation
• Card brand mandates — Visa, Mastercard, and others can designate specific merchants for enhanced monitoring at any time

This is an important point: compliance levels determine the minimum validation. Your acquiring bank can always require more.

Compliance Levels for Service Providers

The levels we've discussed so far apply to merchants — businesses that accept card payments. Service providers — companies that store, process, or transmit cardholder data on behalf of merchants — have their own classification:

• Level 1 service providers process more than 300,000 transactions per year, or are designated by a card brand. They must undergo an annual QSA assessment and produce a Report on Compliance.
• Level 2 service providers process fewer than 300,000 transactions per year. They can complete an annual SAQ and quarterly ASV scans.

When you're evaluating payment solutions, check that the provider holds appropriate PCI DSS validation. We're validated as a PCI DSS Level 1 service provider at Paytia, which means we go through the toughest annual assessment every year — so our clients can show their own assessors that the platform they're relying on is properly audited.

The Relationship Between Levels and SAQs

Your compliance level tells you how to validate. Your SAQ type tells you what to validate. They work together.

A Level 4 merchant who has fully outsourced card processing might complete SAQ A (22 questions) once a year. A Level 4 merchant who stores card data on their own servers would need SAQ D (329 questions). Both are Level 4, but their compliance workload is vastly different because of how they handle card data.

This is why descoping — reducing the number of systems that touch card data — is so valuable. It doesn't change your compliance level, but it can dramatically simplify your SAQ. We cover SAQ types in detail in Guide 4 and descoping strategies in Guide 5.

Key Takeaways

• There are four compliance levels for merchants, based on annual card transaction volume — Level 1 (over 6 million) through Level 4 (up to 1 million total or under 20,000 e-commerce)
• Most small and mid-sized businesses are Level 4, validating compliance through annual Self-Assessment Questionnaires rather than on-site audits
• Your acquiring bank determines your level and can require more rigorous validation than the minimum — especially after a data breach
• Service providers have a separate two-level system — always check that your payment providers maintain appropriate PCI DSS validation
• Your level determines how you validate; your SAQ type determines what you validate — reducing scope through descoping simplifies the "what" regardless of your level
• All levels require full PCI DSS compliance — the difference is in the rigour of validation, not in whether the requirements apply