PCI Compliance Levels Explained: Which Level Is Your Business?
A complete guide to the 4 PCI DSS merchant levels — what they mean, who they apply to, and exactly what validation each level requires.
What Are PCI Compliance Levels?
PCI DSS compliance levels — also called merchant levels — are a tiered classification system created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to determine the level of validation a business must complete each year. Your level is based primarily on your annual card transaction volume.
The higher your transaction volume, the more rigorous your compliance requirements. A Level 1 enterprise merchant processing millions of transactions daily faces very different obligations from a Level 4 small business processing a few hundred transactions per month — yet both must comply with the same underlying PCI DSS standard.
PCI Compliance Levels at a Glance
Quick reference comparison of all PCI compliance levels — for both merchants and service providers.
| Level | Transaction Volume | Validation Required | ASV Scans | Pen Test |
|---|---|---|---|---|
| Level 1 | Over 6M / year | Annual QSA on-site audit + ROC | Quarterly | Annual |
| Level 2 | 1M – 6M / year | Annual SAQ (or QSA-guided) | Quarterly | Recommended |
| Level 3 | 20K – 1M e-com / year | Annual SAQ | Quarterly | Recommended |
| Level 4 | Under 20K e-com / year | Annual SAQ (recommended) | If applicable | Recommended |
| Level | Transaction Volume | Validation Required | ASV Scans | Pen Test |
|---|---|---|---|---|
| SP Level 1 | ≥ 300K Visa/MC transactions / year — or all acquiring service providers | Annual on-site QSA audit + ROC | Quarterly | Annual |
| SP Level 2 | Under 300K Visa/MC transactions / year | Annual SAQ-D for Service Providers | Quarterly | Recommended |
Service Provider levels are defined by Visa and Mastercard based on annual transaction volume processed on behalf of merchants. Acquirers, processors, gateways, and hosting providers handling cardholder data are typically Level 1.
Detailed Breakdown of Merchant Levels
Who each level applies to, what validation it requires, and what compliance typically costs:
Enterprise Merchants
Large Merchants
Mid-Size E-Commerce Merchants
Small Merchants
How to Achieve Compliance at Any Level
Regardless of your merchant level, the path to PCI compliance follows the same fundamental steps. Here is what each stage involves:
Scope Your Cardholder Data Environment
Identify all systems, networks, and processes that store, process, or transmit cardholder data. Reducing scope is the single biggest lever for reducing compliance cost.
Conduct a Gap Assessment
Compare your current security controls against PCI DSS v4.0 requirements. Identify where you are compliant and where gaps exist that require remediation.
Remediate Identified Gaps
Prioritise and address vulnerabilities — from firewall configuration and patch management to access controls, encryption, and staff training.
Complete Your Validation
Depending on your level: complete the appropriate SAQ, arrange ASV scans, or engage a QSA for an on-site assessment and Report on Compliance.
Submit Attestation
Submit your Attestation of Compliance (AOC) and any supporting documentation to your acquiring bank or card brand as required.
Maintain Continuous Compliance
PCI compliance is annual, not one-time. Establish ongoing monitoring, quarterly scans, staff training, and change management processes to stay compliant year-round.
Not Sure Which PCI Level You Are?
30 minutes with a practising QSA who’ll confirm your merchant level, identify which SAQ applies, and outline what compliance will actually cost you — no commitment, no sales pitch.
Frequently Asked Questions about PCI Compliance Levels
How do I know which PCI compliance level I am?
Can my merchant level change over time?
What is an SAQ and which type do I need?
Does using Stripe or PayPal mean I am already PCI compliant?
What happens if I move from Level 4 to Level 3?
Not Sure Which PCI Level You Are?
Our certified QSAs can confirm your level, the right SAQ, and what your compliance journey actually looks like — in a single 30-minute call.
Continue your PCI journey
All PCI services →SAQ Selector
Find the right SAQ for your business in under 60 seconds. 9 outcomes, no signup.
Open the selectorPCI Compliance Assistance
QSA-led, end-to-end PCI compliance assistance — from gap assessment to certified AOC.
View serviceWhat is PCI Compliance?
The complete business guide to PCI DSS — what it is, what’s required, and how to get there.
Read the guide







