Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

The PCI DSS Merchant Compliance Levels Explained

Payment Card Assessments | PCI DSS

Published: Jun 30, 2014

Last Updated: Jun 4, 2025

If your business has been flagged as needing a PCI DSS assessment because you're classified as a "Merchant Level 2" (or Level 1, 3, or 4), you're probably wondering: What does that actually mean? And more likely, what’s the difference between these levels, anyway? 

You're not alone in your confusion. “Merchant level” is a term used to categorize businesses that accept card payments. It only applies to merchants, and it determines how they’re expected to validate PCI DSS compliance based on annual transaction volume. However, it can be difficult to know the difference between the four merchant levels and even more so, how to determine your merchant level and your best course of action towards PCI DSS compliance.  

As auditors experienced in leading PCI engagements across multiple industry verticals for merchants and service providers, we’re here to help. In this blog, we’ll break down the different PCI DSS merchant levels, including who each level applies to and what the requirements involve. We’ll also cover key steps for determining your merchant level and what to do next. This way, you can proceed in your PCI DSS compliance journey with confidence. 

What Are PCI Merchant Compliance Levels? 

Each of the major card brands—Visa, Mastercard, American Express, Discover, and JCB—use PCI merchant compliance levels to group businesses by annual transaction volume. These levels don’t change what’s involved for PCI DSS validation itself, as those requirements apply to everyone handling cardholder data, but they do dictate how you prove you’re meeting the specific requirements. 

There are four merchant levels in total, and while the thresholds are similar across brands, each card brand reserves the right to adjust the transaction volume criteria that determine a merchant’s level —typically in coordination with the acquirer, which is the financial institution or bank that manages card transactions on the merchant’s behalf. 

An Overview of the Different PCI Compliance Levels 

The following levels are based on transaction volume and determine the scope of requirements for each business:  

PCI Compliance Level 1 

  • Level 1 applies to: Large organizations processing 6 million transactions annually, or any business the card brands consider high-risk. This is the highest validation level, so it comes with the most requirements.
  • Level 1 requirements: A PCI DSS assessment and Report on Compliance (ROC) by a Qualified Security Assessor (QSA), quarterly scans by an approved scanning vendor (ASV), and a signed Attestation of Compliance (AOC). 

PCI Compliance Level 2 

  • Level 2 applies to: Mid-size merchants processing 1 to 6 million transactions annually (varies by brand; see table below for specifics).
  • Level 2 requirements: Annual Self-Assessment Questionnaire (SAQ), quarterly ASV scans, and possibly QSA involvement depending on your SAQ type and acquirer expectations. 

PCI Compliance Level 3 

  • Level 3 applies to: Primarily smaller e-commerce businesses processing 20,000 to 1 million card-not-present transactions annually. 
  • Level 3 requirements: Annual SAQ, quarterly ASV scans, and AOC. 

PCI Compliance Level 4 

  • Level 4 applies to: Small businesses with fewer than 20,000 e-commerce transactions annually or up to 1 million transactions in total. This covers the majority of small businesses and lower-risk merchants.
  • Level 4 requirements: Annual SAQ, quarterly ASV scans, and AOC submission may depend on your acquirer. 
    *Even though the compliance bar is technically lower at this level, acquiring banks can—and often do—ask for more, especially if they perceive a risk factor. 

PCI DSS Merchant Compliance Levels Determined by Major Card Brands (per annual transactions):

 

Visa & Mastercard 

American Express 

Discover 

JCB 

Level 1 

>6M 

>2.5M 

>6M 

>1M 

Level 2 

1M-6M 

50,000-2.5M 

1M-6M 

<1M 

Level 3 

20,000-1M 

10,000-50,000 

20,000-1M 

<1M 

Level 4 

<20,000 

<10,000  

Not otherwise classified 

<1M 

How to Determine Your PCI Compliance Level and What to Do Next 

If you’ve just been told you fall into a particular level, or you want to know how to determine your level yourself, here’s what you should do: 

  1. Determine or confirm your level with your acquiring bank or payment processor. This requires a thorough review and understanding of the volume of card transactions that you processed throughout the previous year. 

  2. Find out which SAQ applies to your business (each SAQ includes eligibility criteria near the start – or you can ask a QSA for additional clarity). 

  3. Determine if you need a QSA. Level 1 merchants require a QSA assessment, but at any level, a QSA can help you choose the right SAQ and ensure you meet key requirements. 

  4. Plan for your annual PCI assessment (SAQ or ROC) and plan for quarterly scans by an Approved Scanning Vendor (ASV). 

Moving Forward in Your PCI DSS Compliance Journey 

Ultimately, every entity who stores, processes, or transmits cardholder data is required to comply with all relevant PCI DSS requirements regardless of annual transaction volume and understanding your PCI merchant level helps clarify your path ahead. It defines the steps your business needs to take to meet PCI compliance obligations, protect cardholder data, and demonstrate your commitment to security and trust. Whether you're completing a self-assessment or working with a QSA, you're taking action that reflects both your business priorities and commitment to customer trust.  

If you’re ready to proceed with your PCI DSS Validation or have any additional questions about the requirements or overall process, Schellman can help. Contact us today and we’ll get back to you shortly. 

In the meantime, discover other helpful insights about PCI DSS requirements in these additional resources: 

About Eric Sampson

Eric Sampson is a Director at Schellman, where he helps lead the PCI practice and works with clients across industries including merchants, cloud and technology service providers, healthcare, eCommerce, and financial services. With over 20 years of experience, Eric has guided hundreds of client engagements in areas including PCI, SOC, WebTrust for Certification Authorities, HIPAA, Federal PKI, and agreed-upon procedures.