Within the PCI DSS standard, the five largest global payment card organizations define compliance levels based on the annual volume of payment card transactions processed by an organization (typically a merchant or service provider). These levels help determine the required scope of security assessment — ranging from Self-Assessment Questionnaire (SAQ) to Report on Compliance (ROC). This article by SQC Certification provides an overview of PCI DSS compliance levels.
Introduction to the PCI DSS Standard
PCI DSS (Payment Card Industry Data Security Standard) is an International Security Standard for payment card data, developed and issued by the PCI Security Standards Council (PCI SSC). The objective of PCI DSS is to ensure the security of cardholder data throughout the processes of handling, storing, and transmitting information, thereby minimizing the risks of fraud and data breaches.
This standard can currently be applied to any organization involved in the payment card processing chain — including banks, financial institutions, payment gateways, service providers, merchants, and even e-commerce platforms. PCI DSS establishes a framework of 12 security requirement groups, covering areas such as network infrastructure management, protection of cardholder data, access control, as well as security monitoring and testing.
PCI DSS Compliance Levels
PCI DSS classifies compliance into four levels based on the total number of credit or debit card transactions an organization processes annually, including both online and in-person transactions. Each level has its own validation requirements to ensure the security of payment data processing.
Level 1 – Highest Level
- Applicable to:
Merchants processing over 6 million card transactions (Visa or Mastercard) per year.
Any merchant that has experienced a data breach or is specifically required by a card organization.
- Compliance Requirements:
Assessment conducted by a Qualified Security Assessor Company (QSAC) or an approved internal assessment.
Annual submission of a Report on Compliance (ROC).
Quarterly network security scans (ASV scans).
Significance:
This level is intended for banks, payment service providers (PSP), large e-commerce platforms, or corporations with high transaction volumes.
Level 2
Applicable to: Merchants processing from 1 million to 6 million card transactions per year (per card brand).
- Compliance Requirements:
Annual self-assessment using the SAQ (Self-Assessment Questionnaire).
Quarterly ASV scans.
Some card organizations may require a ROC assessment if the risk level is high.
Significance:
Typically applies to medium-sized businesses such as retail chains or mid-sized e-commerce platforms.
Level 3
Applicable to: Merchants processing from 20,000 to 1 million e-commerce transactions per year.
Compliance Requirements:
- Annual SAQ.
- Quarterly ASV scans.
Significance:
Applies to small and medium-sized e-commerce businesses with a notable volume of online sales.
Level 4
- Applicable to:
Merchants processing fewer than 20,000 e-commerce transactions per year, or
Fewer than 1 million total card transactions per year.
- Compliance Requirements:
Annual SAQ (as required by the acquiring bank).
Quarterly ASV scans (if online transactions are involved).
Significance:
Typically applies to small shops, startups, and service providers with low transaction volumes.
How to determine your organization’s PCI DSS level?
“How to determine which PCI DSS level a business belongs to?” is the first and most important step when starting your compliance journey. Below is a clear and simple guide to help you determine your PCI DSS level (Merchant Level or Service Provider Level). Steps you can follow:
1; Identify your business type: Determine which category your organization belongs to?
- Merchant: A business, store, or website that accepts card payments.
- Service Provider: An entity that processes or stores card data on behalf of others (e.g., payment gateways, infrastructure providers).
2; Calculate total annual card transactions
Aggregate the number of transactions for each card brand (Visa, Mastercard, etc.) over the past 12 months.
3;Compare with the level criteria
4; Confirm with your acquiring bank:
Your bank or card organization is the official authority that determines your compliance level.
Benefits of Understanding Your PCI DSS Compliance Level
Correctly identifying your PCI DSS compliance level gives your business distinct advantages that not all industries have. These benefits may include:
- Building an appropriate compliance plan – clearly understanding the scope, costs, and processes required.
- Enhancing card data security, reducing the risk of breaches and financial losses.
- Optimizing resources – avoiding overinvestment or gaps in security controls.
- Increasing credibility and trust with partners, banks, and customers.
- Ensuring stable payment operations and meeting the requirements of international card organizations.
Accurately determining an organization’s PCI DSS compliance level not only helps clarify the scope and requirements that must be met, but also serves as a crucial foundation for building an effective and sustainable payment card security system. Once the business understands its compliance level, it can develop an appropriate implementation plan, allocate resources efficiently, and meet the expectations of financial institutions, banks, and customers.
Understanding and complying with PCI DSS goes beyond a technical requirement; it represents a commitment to data security and brand reputation – the key factors for sustainable business growth in the digital payments era.
What is a SOC 2 Report? A Guide to SOC 2 Reporting for Technology Businesses
Latest Updates to SOC 2 for Businesses in 2026
Free Training Course: HIGG FEM Assessment Toolkit and Latest Updates
SQC Certification Vietnam officially becomes a QSAC authorized by PCI SSC.
What is a QSA? The Role of a QSA in the PCI DSS Assessment Process
PCI DSS: Special Guidance for E-commerce
