866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

The PCI DSS Merchant Compliance Levels Explained Blog Feature
Eric Sampson

By: Eric Sampson

Print/Save as PDF

The PCI DSS Merchant Compliance Levels Explained

Payment Card Assessments | PCI DSS

Published: Jun 30, 2014

Last Updated: Jun 4, 2025

If your business has been flagged as needing a PCI DSS assessment because you're classified as a "Merchant Level 2" (or Level 1, 3, or 4), you're probably wondering: What does that actually mean? And more likely, what’s the difference between these levels, anyway? 

You're not alone in your confusion. “Merchant level” is a term used to categorize businesses that accept card payments. It only applies to merchants, and it determines how they’re expected to validate PCI DSS compliance based on annual transaction volume. However, it can be difficult to know the difference between the four merchant levels and even more so, how to determine your merchant level and your best course of action towards PCI DSS compliance.  

As auditors experienced in leading PCI engagements across multiple industry verticals for merchants and service providers, we’re here to help. In this blog, we’ll break down the different PCI DSS merchant levels, including who each level applies to and what the requirements involve. We’ll also cover key steps for determining your merchant level and what to do next. This way, you can proceed in your PCI DSS compliance journey with confidence. 

What Are PCI Merchant Compliance Levels? 

Each of the major card brands—Visa, Mastercard, American Express, Discover, and JCB—use PCI merchant compliance levels to group businesses by annual transaction volume. These levels don’t change what’s involved for PCI DSS validation itself, as those requirements apply to everyone handling cardholder data, but they do dictate how you prove you’re meeting the specific requirements. 

There are four merchant levels in total, and while the thresholds are similar across brands, each card brand reserves the right to adjust the transaction volume criteria that determine a merchant’s level —typically in coordination with the acquirer, which is the financial institution or bank that manages card transactions on the merchant’s behalf. 

An Overview of the Different PCI Compliance Levels 

The following levels are based on transaction volume and determine the scope of requirements for each business:  

PCI Compliance Level 1 

  • Level 1 applies to: Large organizations processing 6 million transactions annually, or any business the card brands consider high-risk. This is the highest validation level, so it comes with the most requirements.
  • Level 1 requirements: A PCI DSS assessment and Report on Compliance (ROC) by a Qualified Security Assessor (QSA), quarterly scans by an approved scanning vendor (ASV), and a signed Attestation of Compliance (AOC). 

PCI Compliance Level 2 

  • Level 2 applies to: Mid-size merchants processing 1 to 6 million transactions annually (varies by brand; see table below for specifics).
  • Level 2 requirements: Annual Self-Assessment Questionnaire (SAQ), quarterly ASV scans, and possibly QSA involvement depending on your SAQ type and acquirer expectations. 

PCI Compliance Level 3 

  • Level 3 applies to: Primarily smaller e-commerce businesses processing 20,000 to 1 million card-not-present transactions annually. 
  • Level 3 requirements: Annual SAQ, quarterly ASV scans, and AOC. 

PCI Compliance Level 4 

  • Level 4 applies to: Small businesses with fewer than 20,000 e-commerce transactions annually or up to 1 million transactions in total. This covers the majority of small businesses and lower-risk merchants.
  • Level 4 requirements: Annual SAQ, quarterly ASV scans, and AOC submission may depend on your acquirer. 
    *Even though the compliance bar is technically lower at this level, acquiring banks can—and often do—ask for more, especially if they perceive a risk factor. 

PCI DSS Merchant Compliance Levels Determined by Major Card Brands (per annual transactions):

 

Visa & Mastercard 

American Express 

Discover 

JCB 

Level 1 

>6M 

>2.5M 

>6M 

>1M 

Level 2 

1M-6M 

50,000-2.5M 

1M-6M 

<1M 

Level 3 

20,000-1M 

10,000-50,000 

20,000-1M 

<1M 

Level 4 

<20,000 

<10,000  

Not otherwise classified 

<1M 

How to Determine Your PCI Compliance Level and What to Do Next 

If you’ve just been told you fall into a particular level, or you want to know how to determine your level yourself, here’s what you should do: 

  1. Determine or confirm your level with your acquiring bank or payment processor. This requires a thorough review and understanding of the volume of card transactions that you processed throughout the previous year. 

  2. Find out which SAQ applies to your business (each SAQ includes eligibility criteria near the start – or you can ask a QSA for additional clarity). 

  3. Determine if you need a QSA. Level 1 merchants require a QSA assessment, but at any level, a QSA can help you choose the right SAQ and ensure you meet key requirements. 

  4. Plan for your annual PCI assessment (SAQ or ROC) and plan for quarterly scans by an Approved Scanning Vendor (ASV). 

Moving Forward in Your PCI DSS Compliance Journey 

Ultimately, every entity who stores, processes, or transmits cardholder data is required to comply with all relevant PCI DSS requirements regardless of annual transaction volume and understanding your PCI merchant level helps clarify your path ahead. It defines the steps your business needs to take to meet PCI compliance obligations, protect cardholder data, and demonstrate your commitment to security and trust. Whether you're completing a self-assessment or working with a QSA, you're taking action that reflects both your business priorities and commitment to customer trust.  

If you’re ready to proceed with your PCI DSS Validation or have any additional questions about the requirements or overall process, Schellman can help. Contact us today and we’ll get back to you shortly. 

In the meantime, discover other helpful insights about PCI DSS requirements in these additional resources: 

About Eric Sampson

Eric Sampson is a Director at Schellman, where he helps lead the PCI practice and works with clients across industries including merchants, cloud and technology service providers, healthcare, eCommerce, and financial services. With over 20 years of experience, Eric has guided hundreds of client engagements in areas including PCI, SOC, WebTrust for Certification Authorities, HIPAA, Federal PKI, and agreed-upon procedures.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.