PCI DSS Levels

PCI Compliance Levels Explained: Which Level Is Your Business?

A complete guide to the 4 PCI DSS merchant levels — what they mean, who they apply to, and exactly what validation each level requires.

4 merchant levels
PCI DSS v4.0
Cost & requirement guide
QSA-led
StandardPCI DSS v4.0
4 Merchant Levels
Tiered by annual transaction volume
L1
6M+ · ROC
L2
1–6M · SAQ
L3
20K–1M · SAQ
L4
<20K · SAQ
Defined by Visa, Mastercard, AmEx, Discover, JCB
Set by acquirers
Confirm yours with your bank
Trusted by compliance teams across ANZ
SparkDatacomInland RevenueVodafoneHumm GroupCCLFidelityIllionPlan BXplore
The basics

What Are PCI Compliance Levels?

PCI DSS compliance levels — also called merchant levels — are a tiered classification system created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to determine the level of validation a business must complete each year. Your level is based primarily on your annual card transaction volume.

The higher your transaction volume, the more rigorous your compliance requirements. A Level 1 enterprise merchant processing millions of transactions daily faces very different obligations from a Level 4 small business processing a few hundred transactions per month — yet both must comply with the same underlying PCI DSS standard.

Compare at a glance

PCI Compliance Levels at a Glance

Quick reference comparison of all PCI compliance levels — for both merchants and service providers.

Merchant Levels
Level Transaction Volume Validation Required ASV Scans Pen Test
Level 1Over 6M / yearAnnual QSA on-site audit + ROCQuarterlyAnnual
Level 21M – 6M / yearAnnual SAQ (or QSA-guided)QuarterlyRecommended
Level 320K – 1M e-com / yearAnnual SAQQuarterlyRecommended
Level 4Under 20K e-com / yearAnnual SAQ (recommended)If applicableRecommended
Service Provider Levels
Level Transaction Volume Validation Required ASV Scans Pen Test
SP Level 1≥ 300K Visa/MC transactions / year — or all acquiring service providersAnnual on-site QSA audit + ROCQuarterlyAnnual
SP Level 2Under 300K Visa/MC transactions / yearAnnual SAQ-D for Service ProvidersQuarterlyRecommended

Service Provider levels are defined by Visa and Mastercard based on annual transaction volume processed on behalf of merchants. Acquirers, processors, gateways, and hosting providers handling cardholder data are typically Level 1.

In detail

Detailed Breakdown of Merchant Levels

Who each level applies to, what validation it requires, and what compliance typically costs:

Level 1

Enterprise Merchants

Over 6 million card transactions per year across all channels
Who This Applies To
Large retailers, e-commerce platforms, financial institutions, and any merchant processing over 6 million Visa or Mastercard transactions annually. Also applies to any merchant that has suffered a data breach.
Annual Requirements
Annual on-site QSA audit (Report on Compliance) and quarterly ASV network scans.
Typical Annual Cost
USD 50,000 – 500,000+ depending on CDE scope, infrastructure complexity, and remediation requirements. QSA audit fees alone typically range from USD 20,000 – 100,000.
Level 2

Large Merchants

1 million to 6 million card transactions per year
Who This Applies To
Mid-to-large retailers, regional e-commerce businesses, hospitality chains, and merchants processing between 1 and 6 million transactions annually across any channel.
Annual Requirements
Annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans.
Typical Annual Cost
USD 10,000 – 50,000. SAQ completion with QSA guidance typically ranges from USD 5,000 – 20,000. ASV scanning adds USD 1,000 – 5,000 per year.
Level 3

Mid-Size E-Commerce Merchants

20,000 to 1 million e-commerce transactions per year
Who This Applies To
Growing online retailers, SaaS businesses with payment processing, and any merchant processing 20,000 to 1 million card-not-present (e-commerce) transactions annually.
Annual Requirements
Annual SAQ completion and quarterly ASV scans.
Typical Annual Cost
USD 3,000 – 15,000. Many Level 3 merchants can significantly reduce scope and cost by using a compliant hosted payment page or payment tokenisation.
Level 4

Small Merchants

Fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year
Who This Applies To
Small businesses, independent retailers, local service providers, and start-ups processing card payments at low volumes — the vast majority of merchants globally fall into this category.
Annual Requirements
Annual SAQ and quarterly scans recommended.
Typical Annual Cost
USD 500 – 5,000. Using a fully hosted payment solution (e.g. Stripe, Square) can reduce scope to the simplest SAQ-A questionnaire — just 22 questions.
The path

How to Achieve Compliance at Any Level

Regardless of your merchant level, the path to PCI compliance follows the same fundamental steps. Here is what each stage involves:

Step 1

Scope Your Cardholder Data Environment

Identify all systems, networks, and processes that store, process, or transmit cardholder data. Reducing scope is the single biggest lever for reducing compliance cost.

Step 2

Conduct a Gap Assessment

Compare your current security controls against PCI DSS v4.0 requirements. Identify where you are compliant and where gaps exist that require remediation.

Step 3

Remediate Identified Gaps

Prioritise and address vulnerabilities — from firewall configuration and patch management to access controls, encryption, and staff training.

Step 4

Complete Your Validation

Depending on your level: complete the appropriate SAQ, arrange ASV scans, or engage a QSA for an on-site assessment and Report on Compliance.

Step 5

Submit Attestation

Submit your Attestation of Compliance (AOC) and any supporting documentation to your acquiring bank or card brand as required.

Step 6

Maintain Continuous Compliance

PCI compliance is annual, not one-time. Establish ongoing monitoring, quarterly scans, staff training, and change management processes to stay compliant year-round.

Complimentary · No Obligation

Not Sure Which PCI Level You Are?

30 minutes with a practising QSA who’ll confirm your merchant level, identify which SAQ applies, and outline what compliance will actually cost you — no commitment, no sales pitch.

Confirm your PCI merchant level
Right SAQ identification
Indicative cost & timeline
Scope reduction opportunities
Book Your Free Level Check
QSA-led call 30-min commitment 1 business-day response
FAQ

Frequently Asked Questions about PCI Compliance Levels

How do I know which PCI compliance level I am?
Your merchant level is determined by your acquiring bank based on your annual card transaction volume reported to the card brands. Contact your acquiring bank or payment processor to confirm your current level. Note that Visa and Mastercard may classify you differently, so you may technically have different levels for different card brands.
Can my merchant level change over time?
Yes. As your business grows and transaction volumes increase, you may move to a higher level with more stringent requirements. You can also be elevated to Level 1 by a card brand regardless of volume — for example, if your business has experienced a significant data breach. Level upgrades typically take effect in the next compliance cycle.
What is an SAQ and which type do I need?
A Self-Assessment Questionnaire (SAQ) is a validation tool for merchants who are not required to undergo a full QSA audit. There are 9 SAQ types (SAQ-A through SAQ-D) depending on how you accept payments. SAQ-A (22 questions) applies to merchants using fully outsourced card processing with no electronic storage. SAQ-D (over 200 questions) applies to merchants who store cardholder data electronically.
Does using Stripe or PayPal mean I am already PCI compliant?
Not entirely. Using a PCI-compliant payment processor like Stripe or PayPal significantly reduces your compliance scope — you can often qualify for the simplest SAQ-A form. However, you are still responsible for ensuring your own website and systems do not introduce vulnerabilities (e.g. web skimming, insecure redirects). Your compliance obligation doesn’t disappear; it just becomes smaller.
What happens if I move from Level 4 to Level 3?
Moving from Level 4 to Level 3 means you now have formally required (rather than just recommended) annual SAQ and ASV scan obligations. The core security requirements remain the same — the difference is in the formal validation you must complete and submit to your acquiring bank. It is advisable to work with a QSA to ensure your SAQ is completed accurately when transitioning levels.
Get clarity

Not Sure Which PCI Level You Are?

Our certified QSAs can confirm your level, the right SAQ, and what your compliance journey actually looks like — in a single 30-minute call.

QSA-led · ANZ · EU · NA · 1 business-day response

Continue your PCI journey

All PCI services →
Free tool

SAQ Selector

Find the right SAQ for your business in under 60 seconds. 9 outcomes, no signup.

Open the selector
Service

PCI Compliance Assistance

QSA-led, end-to-end PCI compliance assistance — from gap assessment to certified AOC.

View service
Guide

What is PCI Compliance?

The complete business guide to PCI DSS — what it is, what’s required, and how to get there.

Read the guide