PCI DSS compliance is the must-have in today’s digital economy to ensure that cardholder information is secure. If you operate an online store, or even a large chain of stores, and process credit or debit cards, you fall under the purview of the Payment Card Industry Data Security Standard (PCI DSS).
But compliance isn’t created equal for every merchant. Hence, this is why PCI DSS categories merchants into Levels 1-4 (typically determined by annual transaction volume). There are various requirements for each level, which vary in equal measures from an annual audit by a Qualified Security Assessor (QSA), to a simple self-assessment.
It’s important to know your merchant level. It changes your reporting obligations, your security burden and how much (or how little) and the consequences of non-compliance
In this post, we will cover what each PCI level means, who is affected, and what your business needs to stay compliant and secure and and why choosing PCI Compliant payment processors is important.
What Is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a set of standards designed to ensure safe handling of cardholder information. It was initially introduced in 2006 by the Payment Card Industry Security Standards Council (PCI SSC)—an organization created by the major credit card brands like Visa, MasterCard, American Express, Discover and JCB. The objective was straightforward: safeguard payment card data from breaches, sensitivities, and abuse.
PCI DSS prescribes 12 basic rules that address all aspects, including firewall settings, encryption, access management, and continuous system control. These prerequisites are the basis of secure payment environment.
Who Must Comply?
PCI DSS applies to any business that stores, process, or transmits cardholder data. This includes:
- Businesses (EShops, stores, etc.)
- Processors and Gateways to process payments
- Third-party service providers
- Financial institutions
Most importantly, it’s required regardless of the size of your business or the amount of transactions processed per year. The loss of sensitive information of any type even just one gets companies into financial, reputation and legal trouble.
But as you may already know, PCI DSS compliance is not just a matter of ticking a few boxes—it’s a crucial measure of defense for your customers and your business when it comes to costly cyber security breaches.
Overview of PCI DSS Levels 1–4
PCI DSS merchant levels categorize merchants based on the volume of Visa or MasterCard transactions they have each year. These guidelines further define the range of compliance and the level of validation. There are four different levels, Level 1 being the one with the highest volume of transactions and credit risk.
Level 1: More than 6 million transactions annually
Level 2: 1 million to 6 million transactions a year
Level 3: 20,000 to 1 million per year e-commerce transactions
Level 4: fewer than 20,000 e-commerce or up to 1,000,000 total transactions per year
These thresholds are the per card brand and have been set to ensure an appropriate level of compliance based on risk and volume.
Why Levels Matter?
Your merchant level dictates the type of assessment whether a a Self-Assessment Questionnaire (SAQ) is sufficient or if you require an onsite audit by a Qualified Security Assessor (QSA).
The higher the level, the more documentation, more vulnerability scanning, possibly even penetration testing. It also influences cost, timelines, and the need for third-party validation.
Knowing your standing will also allow you to prepare compliance effectively, minimize liability and stay away from penalties or loss of reputation as a result of default.
PCI DSS Level 1: Requirements & Applicability
PCI DSS Level 1 applies to merchants processing over 6 million Visa or MasterCard transactions annually across all channels. It also includes businesses that have experienced a data breach or are designated high-risk by card brands, regardless of volume. Due to the potential for large-scale exposure, these merchants are held to the strictest compliance standards.
Level 1 merchants must undergo an annual onsite assessment conducted by a Qualified Security Assessor (QSA). This audit verifies compliance with all PCI DSS controls.
Other key requirements include:
- Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
- Submission of a Report on Compliance (ROC) and Attestation of Compliance (AOC)
- Implementation of encryption for cardholder data in transit and at rest
- A robust incident response plan for breach management
- Logging, monitoring, and access controls for all systems touching payment data
Level 1 compliance is resource-intensive, often requiring dedicated security teams and advanced infrastructure.
Businesses that fall under Level 1 typically include:
- Large retailers like Walmart or Amazon that handle massive transaction volumes
- Global travel brands and online booking platforms with high daily payment activity
- Subscription-based services such as Netflix and Spotify processing millions of recurring payments
These companies have a high risk profile and must maintain continuous PCI DSS compliance to protect customer data and retain trust.
PCI DSS Level 2: Requirements & Applicability
PCI DSS Level 2 applies to merchants processing 1 million to 6 million Visa or MasterCard transactions annually. These businesses handle a significant volume of cardholder data, though not at the scale of Level 1 merchants.
Level 2 merchants are generally not required to undergo an onsite audit unless specified by their acquiring bank. Instead, they must complete the following:
- A full Self-Assessment Questionnaire (SAQ D)
- Quarterly vulnerability scans conducted by an Approved Scanning Vendor (ASV)
- Submission of an Attestation of Compliance (AOC), confirming adherence to PCI DSS requirements
However, acquiring banks or payment brands may request a Qualified Security Assessor (QSA) audit if there are signs of risk or a history of non-compliance.
Level 2 is often seen as a transition point—close to Level 1 obligations, especially if a data breach occurs. In such cases, the business may be escalated to Level 1 and required to meet its stricter validation requirements.
While the audit burden is lighter, strong internal controls are still expected, including data encryption, access restrictions, and incident response planning. Many Level 2 merchants adopt best practices from Level 1 to prepare for future growth and minimize risk.
Businesses in this category often include regional retailers, online marketplaces, and mid-size subscription platforms.
PCI DSS Level 3: Requirements & Applicability
PCI DSS Level 3 applies to merchants processing 20,000 to 1 million e-commerce transactions annually. This level is specifically geared toward internet-based merchants, where card-not-present transactions are the norm. While these merchants handle fewer transactions than Levels 1 and 2, they still represent a meaningful security risk, especially online.
Level 3 merchants are required to validate compliance with the following:
- Completion of the appropriate Self-Assessment Questionnaire (SAQ), typically SAQ A, A-EP, or C-VT, depending on how card data is handled or stored
- Quarterly vulnerability scans by an Approved Scanning Vendor (ASV) if the merchant touches or processes cardholder data
- Submission of an Attestation of Compliance (AOC), either prepared internally or by a third-party consultant
Though onsite audits are not mandatory, acquiring banks can still request one based on perceived risk. Merchants must also ensure they maintain necessary security controls, such as firewall configuration, secure software development practices, and restricted access to data.
This level is common for:
- Small-to-midsize online stores
- Digital subscription platforms accepting recurring online payments
- SaaS companies with direct credit card payment forms embedded into their platforms
Level 3 is a reminder that smaller volume doesn’t mean smaller risk, particularly in e-commerce where fraud and cyberattacks are common.
PCI DSS Level 4: Requirements & Applicability
PCI DSS Level 4 applies to merchants processing fewer than 20,000 e-commerce transactions annually or fewer than 1 million total credit/debit card transactions across all channels (including in-store, phone, and online). These businesses typically operate at a small scale but are still responsible for protecting cardholder data.
Level 4 merchants must complete the appropriate Self-Assessment Questionnaire (SAQ)—usually SAQ A, B, or C, depending on their payment environment and how they handle cardholder data. While an onsite QSA audit isn’t required, merchants may need to perform quarterly vulnerability scans by an Approved Scanning Vendor (ASV) if they store, process, or transmit cardholder data.
Unlike higher levels, validation of compliance is managed directly by the acquiring bank, which may impose additional requirements based on perceived risk. Merchants must still implement all PCI DSS controls applicable to their environment, including maintaining secure systems, protecting stored data, and regularly testing security processes.
Level 4 is best suited for:
- Small local businesses such as cafes, salons, and repair shops
- Boutique retailers with low-volume online or in-store sales
- Service providers using hosted payment gateways that redirect customers offsite for payment
Even at this level, a data breach can be devastating. Proper compliance helps small merchants avoid fines, brand damage, and customer trust issues.
How to Determine Your PCI Level?
Determining your PCI level is based on your annual transaction volume for Visa and MasterCard. This also includes any and all gateway transactions, such as those from POS devices, e-commerce, mobile applications, recurring billing, and mail order / telephone order (MOTO)!
When your business accepts cards in several ways, sum up the total volume processed on all platforms. Here are the levels you hit, mainly based on this added annual count:
- Level 1: Over 6 million transactions
- Level 2: 1 to 6 million
- Level 3: 20,000 to 1 million e-commerce only
- Level 4: Fewer than 20,000 e-commerce or 1 million total
Your business will need to re-evaluate PCI level status annually but especially after significant transaction volume growth and at least after experiencing a major data breach, since this may cause you to increase your status level to Level 1, without considering your business size at all.
To obtain correct categorization, please contact your acquiring bank or payment processor. They might have certain reporting requirements and are able to verify your merchant level. A few acquirers have even more stringent requirements, depending on their own risk assessments.
Continually tracking and validating your volume, and confirming your PCI, are best business practices that keep your business in compliance, prevent financial penalties and keep customers’ trust.
Consequences of Non-Compliance
Noncompliance with PCI DSS could mean serious consequences for merchants from a financial and logistical perspective.
Financial Penalties
Failure to comply can result in fines between $5,000 and $100,000 for each month of noncompliance, based on the degree and duration of the non-compliance. In cases of a data compromise merchants can also be responsible for the fraud losses, certain forensic investigations and card reissuance expenses.
Reputational Damage
A brand could be badly hurt by a data breach. Damage to the consumer trust is one of the most difficult consequences to bounce back from. Banks, partners and card brands may also sever relationships with such businesses.
Operational Impact
Non-compliant merchants could be subject to enhanced reporting requirements and greater scrutiny, along with increased transaction costs. The worst case: they’ll lose their capability to process card payments entirely — a formidable operational hurdle for most businesses.
These penalties only get more harsh as you continue to not be in PCI DSS compliance. Compliance isn’t only about not getting fined, it’s about protecting your customers, and the long-term survival of your business.
Tips for Simplifying PCI DSS Compliance
PCI DSS compliance may feel difficult but with the right tools and approach, it can certainly not be. Here is how you can simplify and improve security:
1. Use a PCI-Compliant Payment Gateway
Partner with a PCI compliant payment processor so you never have to store sensitive customer data in your server. It lowers your PCI scope and simplifies audits.
2. Avoid Storing Cardholder Data
Store full card numbers, cvv and expiry date only if it is really needed. Less data equals less risk — and fewer compliance responsibilities.
3. Segment Your Card Data Environment (CDE)
Segment your network to separate systems that process card data from other parts of your IT environment. This is good since you want as few systems as possible to be in PCI scope.
4. Conduct Regular Scans and Tests
Quarterly run vulnerability scans by an Approved Scanning Vendor (ASV). Do penetration scanning testing at a minimum once a year or whenever there are major changes in your systems.
5. Implement Tokenization and Encryption
Tokenization is the process of substituting card information with a non-sensitive equivalent, the token. Encryption Encrypts data in transit and at rest. Both cut down breach risk and compliance scope.
6. Train Employees on Data Security
Human error continues to remain a serious threat. Regularly train employees on payment data handling, protecting against phishing, and incident response processes.
7. Maintain Documentation
Keep records of your Self-Assessment Questionnaire (SAQ), network diagrams, policies, scan results, and incident response plans. Documentation supports audits and helps you stay organized.
Simplifying PCI DSS compliance is about making smart choices in payment infrastructure, data handling, and staff training. With the right approach, compliance becomes a continuous habit—not a yearly scramble.
Conclusion
The PCI DSS Levels 1–4 provide a clear framework for merchants to achieve and maintain compliance. Remember, compliance is an ongoing process, not a one-time checkbox. Knowing your merchant level helps you follow the correct validation path and meet necessary security standards. Investing in strong data protection early can prevent costly fines and reputational damage later. Staying informed and adapting your processes becomes even more critical. Prioritize compliance to safeguard your customers and ensure your business’s long-term success.
Frequently Asked Questions
- How do I find my PCI DSS level?
Contact your acquiring bank or payment processor. They classify your level based on your annual transaction volume. - Can my PCI level change?
Yes, your level can increase after significant growth in transactions, security breaches, or a formal reassessment. - Is PCI DSS legally required?
PCI DSS is not a government law but is mandatory to accept credit and debit card payments according to Visa, MasterCard, and other card brands. - Do I need to renew PCI compliance every year?
Yes, all merchant levels require annual compliance validation and, if applicable, quarterly vulnerability scans. - What’s the difference between SAQ and QSA audit?
SAQ is a self-assessment questionnaire merchants complete themselves. QSA audit involves a professional third-party Qualified Security Assessor and is required for Level 1 merchants.