PCI DSS Compliance Levels and What They Mean for Your Business

PCI DSS compliance levels categorize businesses by the number of credit card transactions they process each year. The higher the level, the more rigorous the security and auditing requirements.

For most small businesses, this means falling into Level 4, where the focus is on completing a Self-Assessment Questionnaire (SAQ), running quarterly vulnerability scans, and submitting an Attestation of Compliance (AOC).

Why does this matter? Staying Payment Card Industry Data Security Standard (PCI DSS) compliant isn’t just about avoiding fines. It’s about protecting customer payment data, maintaining trust, and reducing the risk of a costly breach. Understanding which level you fall under helps you know what’s required, how much effort is involved, and how to plan for ongoing compliance.

In this guide, we’ll break down the four PCI DSS compliance levels in plain terms.

What Are PCI DSS Compliance Levels and Why Do They Matter?

PCI DSS compliance levels are four categories that payment processors use to classify businesses based on how many credit card transactions they handle each year. Larger companies fall into higher levels, with Level 1 requiring detailed annual audits and a Report on Compliance (ROC) to independently verify whether or not safeguards are in place. Smaller companies, including most local businesses, usually fall into Level 4, where the focus is on Self-Assessment Questionnaires (SAQs) as an Attestation of Compliance (AOC) and indicating the organization is conducting quarterly scanning and adhering to other requirements for safeguarding payment card data.

These levels are not just technical labels. They carry real implications. If a business is found to be non-compliant, payment processors and banks can issue fines, non-compliance fees, or even restrict transactions. In the event of a data breach, merchants may be held responsible for card replacement costs, fraud losses, and mitigation efforts, along with the damage of lost sales and reputational harm.

The PCI DSS itself is built around a set of twelve core security requirements. These include protecting the cardholder data environment with strong network security controls, using strong cryptography, managing vulnerability scanning, keeping secure configurations, and monitoring systems for malicious software or unauthorized access. Businesses are also expected to control physical access, apply clear access controls, and log and monitor access to sensitive systems. Together, these measures create a framework that every merchant, regardless of level, can follow to reduce the risk of payment fraud and data theft.

That is why PCI DSS compliance matters. It reduces your risk of theft, payment fraud, and financial losses while helping you maintain customer trust. Whether you are processing a few thousand transactions a year or millions, meeting the requirements of your compliance level is essential for protecting both your business and your customers.

4 PCI DSS Compliance Levels Explained

The four PCI DSS compliance levels are arranged in order of number of transactions, with level 1 merchants processing the most, and level 4 merchants processing very few by comparison. Ultimately, these levels determine what security, assessment, and auditing measures are expected from these businesses, and they even help firms to budget for the overall costs of compliance each year.

It’s worth noting that each payment processor will have a slightly different hierarchy, however, the general practice is the same. In any case, we always recommend you check your compliance levels and expectations directly with your processor to avoid any doubt.

Beyond this, it’s also wise to consult the PCI Security Standards Council (PCI SSC) and its document library, which is full of useful guides and frameworks to help you determine where you fit.

Let’s explore each of the generic levels and what is expected from merchants at each:

Level 4

Any merchants that process fewer than 20,000 transactions annually, via ecommerce, are generally considered level 4. This level also applies if they process up to one million transactions a year through Visa. Again, it is wise to check the levels as determined by your specific payment processor.

Level 4 merchants are small businesses and individuals who don’t need to follow as stringent measures as other levels. They don’t need external auditing or ROCs. Generally, it’s recommended that they carry out SAQs, scan systems quarterly via an ASV, and fill out AOCs where necessary.

Level 4 merchants are expected to validate compliance through an SAQ and AOC, supported by quarterly network scans, without the need for an audit or formal ROC.

Level 3

Level 3 businesses are much smaller than level 1s and 2s, with these merchants processing at least 20,000 transactions a year, and as many as one million. Generally, this applies to small and medium size businesses and local firms.

Like level 2, level 3s don’t need to involve external auditors and a ROC is not required. These are optional measures to prepare for future growth.

However, they still need to submit an SAQ to prove their compliance, produce an AOC, and scan systems quarterly with an Approved Scanning Vendor (ASV).

Level 3 merchants must complete an SAQ and AOC and perform quarterly scans, but they are not required to submit a ROC unless specifically requested by their acquiring bank or payment processor.

Level 2

Level 2 merchants process at least one million transactions and up to six million every year. They’re permitted to run a PCI DSS assessment on their own via self-assessment without a QSA and report and attest to their own compliance.

To carry out this internal auditing, level 2 merchants need to complete a self-assessment questionnaire, or SAQ. This is available to download via the PCI SSC website.

Like level 1 merchants, level 2s must show that they have carried out compliance checks, but they should do so through an SAQ that can be provided to any party that requests it.

And, again like level 1s, level 2s should run quarterly ASV scans, and complete an AOC.

Level 2 merchants are expected to complete an SAQ, AOC, and quarterly scans, with a ROC required in some cases depending on the acquiring bank or processor.

Level 1

Level 1 merchants are typically the largest of the four, usually processing more than six million transactions every year. These are multinational companies, for example, with a broad ecommerce reach.

PCI DSS requires businesses that fall under this category to submit to third-party external audits every year so that they are confirmed compliant. To do this, PCI DSS insists upon a verified, recognized QSA to carry out inspections.

At the end of QSA analysis, the business will receive a Report of Compliance, or ROC, which they can submit to appropriate agencies, auditors, and bodies that request it.

On top of this, Level 1 merchants should scan their networks at least once a quarter through ASVs, or approved scanning vendors. They must also submit an Attestation of Compliance (AOC), which informs authorities of the ongoing efforts they are taking to achieve compliance and remain above board.

Level 1 merchants must undergo an annual onsite audit by a QSA, submit a ROC and AOC, and carry out quarterly scans along with ongoing monitoring and penetration testing.

PCI DSS Compliance Levels for Service Providers

Service providers, such as hosting companies or payment processors, are classified into two levels based on annual transaction volume. Level 1 service providers handle more than 300,000 transactions and must undergo an annual audit by a Qualified Security Assessor (QSA), resulting in a Report on Compliance (ROC), along with quarterly scans, penetration tests, and an Attestation of Compliance (AOC). Level 2 service providers process fewer than 300,000 transactions and can typically validate with a Self-Assessment Questionnaire (SAQ) and AOC, supported by regular scans. The card brands and acquiring banks set the final requirements, so it is important to confirm expectations with your processor. In summary, the service provider levels mirror the merchant levels but focus on securing data environments where cardholder information is stored and processed.

If you’re not sure which compliance level your business is likely to fall under, you must reach out to your payment processor and its individual rules. Given that cybersecurity, revenue, and reputation are at stake, it’s vital to be safe rather than sorry.

What These Levels Mean for Your Business

PCI DSS compliance levels essentially dictate what your business should do to protect the scale and sensitivity of the payment data you manage. They are useful guidelines to ensure you are doing enough to protect your clients and customers from data breaches and bad actors. What’s more, these levels protect you from data security risks, loss of business and revenue, and reputation damage.

The levels also help businesses to account for how much they may need to spend on cybersecurity measures year on year. For example, a larger business falling under merchant level 1 will spend much more on auditing than a small firm at level 4. This is both due to the requirements set by PCI DSS and the attack surface involved (for example, the number of systems in a network or personnel onboard).

To meet these obligations, businesses often turn to tools and solutions such as:

• A PCI DSS compliance checklist or consultancy service to track all required steps
• Qualified Security Assessors (QSAs) for audits and Reports on Compliance (ROCs)
• Approved Scanning Vendors (ASVs) for quarterly network scans
• Technologies like point-to-point encryption (P2PE), strong cryptography, and configuration management to protect the cardholder data environment
• Internal information technology and compliance teams to manage logging, monitoring, and policy enforcement

In short, the compliance levels tell you what is expected, while the PCI DSS requirements and available solutions give you how to achieve and maintain it.

How to Determine Your PCI DSS Compliance Level

Start by analyzing how many transactions you have processed in the past year, or across your latest accounting period for 52 weeks. For example, this might be your most recent tax year. You should also determine whether you are a merchant or a service provider. Generally, the definition of a merchant is a business that accepts card payments, while a service provider may be involved in storing or processing the data indirectly.

Once you know which category you fall under, check your processor’s compliance levels and align your business based on how many transactions you’ve processed. If you don’t assess your company based on the right level, you may not be considered compliant. In which case, it’s always important to seek help from an expert.

The validation and assessment process itself varies by level:

• Level 4 and 3 merchants typically validate with a Self-Assessment Questionnaire (SAQ), an Attestation of Compliance (AOC), and quarterly ASV scans.
• Level 2 merchants may also need to provide a Report on Compliance (ROC) depending on their acquiring bank.
• Level 1 merchants require an onsite audit by a QSA, along with penetration testing, quarterly scans, and role-based documentation to cover the scope of the audit.

Evidence gathering, audit trails, and preparing for an assessment are a must. And sometimes support from an Internal Security Assessor (ISA) or Payment Application QSA (PA-QSA) are part of higher-level validations. Regardless of size, every business must be able to show that PCI DSS controls are in place and that compliance is monitored on an ongoing basis.

Conclusion

Determining your exact PCI DSS compliance level is an important step towards ensuring your cardholder data is protected as much as possible against emerging threats. Unfortunately, none of us may be able to avoid threats completely, but with stringent, robust cybersecurity measures and reasonable steps taken to become compliant, you can be sure that you’re doing the right thing by your customers and stakeholders.

SecureTrust helps to make PCI compliance for small businesses more efficient and straightforward. Take a tour of our platform now to learn more about how we can simplify your security auditing and protect your clients better.

FAQ

What happens if my business is not PCI DSS compliant?

Non-compliance can lead to fines, monthly non-compliance fees, higher transaction costs, and even restrictions from your acquiring bank. If a data breach occurs, merchants may also be held responsible for card replacement costs, fraud losses, and lost sales, along with serious reputational damage.

What are the PCI DSS requirements?

PCI DSS is built on twelve core requirements designed to protect the cardholder data environment. These include maintaining strong network security controls, using strong cryptography, keeping secure configurations, running regular vulnerability scans, logging and monitoring access, managing malicious software, and enforcing strict access controls both physically and digitally.

What are the requirements for each PCI DSS compliance level?

• Level 4 and 3 merchants: Complete a Self-Assessment Questionnaire (SAQ), submit an Attestation of Compliance (AoC), and perform quarterly scans through an Approved Scanning Vendor (ASV).
• Level 2 merchants: Same as above, but may also need to provide a Report on Compliance (ROC) if required by their acquiring bank or payment processor.
• Level 1 merchants: Must undergo an annual onsite audit by a Qualified Security Assessor (QSA), produce a ROC and AOC, and conduct quarterly scans, penetration tests, and ongoing monitoring.