PCI DSS
7 min read
PCI DSS Merchant Levels Explained: Transaction Thresholds, SAQ Types & Validation Requirements
PCI DSS compliance validation requirements vary based on your merchant level, which is determined primarily by the volume of payment card transactions your organization processes annually. Understanding your merchant level is the first step in determining your compliance obligations, including whether you need a full on-site assessment by a Qualified Security Assessor or can self-validate using a Self-Assessment Questionnaire. This guide explains the four merchant levels, how they are determined, and the specific validation requirements for each.
Table of Contents
Understanding the Four Merchant Levels
Payment card brands (Visa, Mastercard, American Express, Discover, JCB) each define their own merchant levels, though the definitions are broadly similar. Using Visa's definitions as the most commonly referenced standard, Level 1 merchants process over 6 million Visa transactions per year across all channels, or are identified by Visa as Level 1. Level 2 merchants process 1 to 6 million Visa transactions per year. Level 3 merchants process 20,000 to 1 million Visa e-commerce transactions per year. Level 4 merchants process fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions per year regardless of channel. Mastercard uses slightly different thresholds: Level 1 is over 6 million transactions, Level 2 is 1 to 6 million, Level 3 is 20,000 to 1 million, and Level 4 is fewer than 20,000. Transaction counts include all payment channels including in-store, online, mail-order, and telephone. Importantly, a merchant's level is determined by the acquiring bank and can be elevated if the merchant has suffered a data breach or is deemed high-risk, regardless of transaction volume. Organizations processing transactions for multiple brands should determine their level with each brand separately, as they may fall into different levels.
- Level 1: over 6 million transactions per year; Level 2: 1-6 million; Level 3: 20,000-1 million; Level 4: under 20,000 e-commerce or up to 1 million total
- Each payment brand defines its own levels with slightly different thresholds
- Transaction counts include all channels: in-store, online, mail-order, and telephone
- Acquiring banks can elevate merchant level after a breach or for high-risk merchants
- Organizations should determine their level separately for each payment brand
Level 1 Merchant Requirements
Level 1 merchants face the most rigorous compliance validation requirements. They must undergo an annual on-site assessment conducted by a PCI SSC-qualified Qualified Security Assessor (QSA) or, alternatively, complete an annual Internal Security Assessment signed by an officer of the company if the organization has a qualified Internal Security Assessor (ISA) on staff. The assessment results in a Report on Compliance (ROC) that documents the organization's compliance status across all applicable PCI DSS requirements. Level 1 merchants must also conduct quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV) and submit the scan results as part of their compliance documentation. Additionally, they must complete and submit an Attestation of Compliance (AOC) form. The ROC is a comprehensive document that can run hundreds of pages, covering every applicable PCI DSS requirement with detailed evidence of compliance. QSA assessments typically take several weeks to months depending on the complexity of the cardholder data environment, and the cost ranges from $50,000 to over $500,000 depending on the organization's size and scope. Any merchant that has experienced a breach resulting in account data compromise is typically elevated to Level 1 regardless of transaction volume, which means they must undergo a full QSA assessment.
- Annual on-site assessment by a QSA resulting in a Report on Compliance (ROC)
- Quarterly ASV vulnerability scans are mandatory
- Internal Security Assessors can conduct assessments as an alternative to external QSAs
- QSA assessment costs typically range from $50,000 to over $500,000
- Breached merchants are typically elevated to Level 1 regardless of transaction volume
Level 2 and Level 3 Merchant Requirements
Level 2 merchants must complete an annual Self-Assessment Questionnaire (SAQ) appropriate to their payment processing method, conduct quarterly ASV network vulnerability scans, and submit an Attestation of Compliance. While Level 2 merchants are not required to undergo a full QSA assessment under most card brand programs, Mastercard requires Level 2 merchants to have their SAQ validated by a QSA, ISA, or other qualified party. Some acquirers may also require Level 2 merchants to undergo a QSA assessment based on risk considerations. Level 3 merchants have similar requirements: annual SAQ completion, quarterly ASV scans, and Attestation of Compliance submission. The SAQ type depends on how the merchant processes payments, not on their merchant level. A Level 2 merchant using a fully outsourced payment page might complete SAQ A, while a Level 3 merchant with a more complex payment setup might need SAQ D. Both Level 2 and Level 3 merchants should work closely with their acquiring bank to confirm exactly which SAQ type applies and whether any additional validation requirements are imposed. Acquirers have the authority to impose more stringent requirements than the minimum defined by the card brands, and requirements can vary based on the merchant's risk profile and processing environment.
- Level 2 and 3 merchants complete annual SAQs rather than full QSA assessments
- Quarterly ASV vulnerability scans are required for both levels
- Mastercard requires Level 2 SAQs to be validated by a QSA or ISA
- SAQ type depends on payment processing method, not merchant level
- Acquirers can impose stricter requirements beyond card brand minimums
Level 4 Merchant Requirements
Level 4 merchants constitute the vast majority of merchants worldwide and have the most streamlined compliance validation requirements. They must complete an annual SAQ appropriate to their payment processing method and conduct quarterly ASV vulnerability scans. An Attestation of Compliance must be submitted to their acquirer. However, the practical enforcement of Level 4 requirements varies significantly by acquirer. Some acquirers actively require and review SAQ submissions from Level 4 merchants, while others may not enforce the requirement unless a breach occurs or risk concerns arise. This inconsistency does not reduce the merchant's obligation to comply with the full PCI DSS standard; it only affects the validation mechanism. Level 4 merchants often benefit from using payment solutions that minimize their PCI DSS scope. Using a Payment Service Provider (PSP) or fully outsourced payment page means the merchant may qualify for SAQ A, the shortest and simplest questionnaire. Integrated payment terminals with point-to-point encryption can qualify merchants for SAQ P2PE, another streamlined option. Even though Level 4 requirements are less burdensome from a validation perspective, the underlying PCI DSS security requirements still apply in full. A Level 4 merchant that suffers a breach is held to the same standard as any other merchant.
- Level 4 merchants complete annual SAQs and quarterly ASV scans
- Acquirer enforcement varies; some actively review submissions while others do not
- Using outsourced payment solutions can qualify merchants for the simplest SAQ types
- Level 4 merchants constitute the vast majority of merchants globally
- Full PCI DSS requirements apply regardless of validation streamlining
SAQ Types by Payment Processing Method
The Self-Assessment Questionnaire type is determined by how the merchant processes, stores, and transmits cardholder data, not by merchant level. SAQ A applies to merchants that fully outsource all cardholder data functions to PCI DSS compliant third parties, with no electronic storage, processing, or transmission of cardholder data on the merchant's systems. SAQ A-EP applies to e-commerce merchants that outsource payment processing but whose website can impact the security of the payment transaction. SAQ B applies to merchants using only imprint machines or standalone dial-out terminals with no electronic cardholder data storage. SAQ B-IP applies to merchants using only standalone IP-connected payment terminals with no electronic data storage. SAQ C applies to merchants with payment application systems connected to the internet but with no electronic cardholder data storage. SAQ C-VT applies to merchants manually entering single transactions via a virtual terminal on an isolated computer. SAQ D is the most comprehensive, applying to all merchants not fitting other SAQ criteria, and to all service providers eligible to complete an SAQ. SAQ P2PE applies to merchants using hardware payment terminals managed via a validated PCI-listed Point-to-Point Encryption solution. Choosing the correct SAQ is critical, as completing the wrong type can result in a non-compliant validation.
- SAQ A: fully outsourced payment with no cardholder data on merchant systems
- SAQ A-EP: e-commerce with outsourced processing but website impacts payment security
- SAQ B/B-IP: standalone terminals (dial-out or IP-connected) with no electronic storage
- SAQ C/C-VT: internet-connected payment apps or virtual terminals with no storage
- SAQ D: comprehensive questionnaire for merchants not fitting other categories
How to Determine Your Merchant Level and SAQ Type
Determining your merchant level and appropriate SAQ type requires several steps. First, gather your annual transaction volumes for each payment brand you accept. Contact your acquiring bank or payment processor for exact figures, as they maintain the authoritative transaction records. Second, compare your volumes against each brand's level definitions, recognizing that you may be different levels with different brands and should comply with the most stringent applicable requirements. Third, map your payment processing architecture to identify how cardholder data flows through your environment. Document every system, application, network segment, and third-party service that stores, processes, or transmits cardholder data or could affect the security of cardholder data. Fourth, based on your processing architecture, identify the appropriate SAQ type. If you are unsure, consult your QSA or your acquirer's compliance team. Fifth, confirm your merchant level and SAQ type with your acquiring bank, as they have the final authority on classification. Organizations that are borderline between levels or SAQ types should consider proactively choosing the more stringent option, as transaction volumes can fluctuate and reclassification mid-year creates compliance complications. Investing in payment architecture that reduces PCI DSS scope, such as tokenization, P2PE terminals, or fully outsourced payment pages, can simplify compliance and reduce costs regardless of merchant level.
- Contact your acquiring bank for authoritative transaction volume figures
- You may be classified at different levels with different payment brands
- Map your complete cardholder data flow to determine the correct SAQ type
- Confirm classification with your acquirer, as they have final authority
- Invest in scope-reducing technologies like tokenization and P2PE to simplify compliance
Key Takeaways
- Four merchant levels based on annual transaction volume determine validation requirements
- Level 1 requires annual QSA assessment; Levels 2-4 use Self-Assessment Questionnaires
- All levels require quarterly ASV vulnerability scans and Attestation of Compliance
- SAQ type depends on payment processing method, not merchant level
- Acquirers have final authority on merchant classification and can impose stricter requirements
- Scope-reducing technologies like P2PE and tokenization simplify compliance at any level
- Breached merchants are typically elevated to Level 1 regardless of transaction volume
Frequently Asked Questions
How do I determine my PCI DSS merchant level?
Your merchant level is determined by the number of payment card transactions you process annually. Level 1: over 6 million, Level 2: 1-6 million, Level 3: 20,000-1 million, Level 4: under 20,000 e-commerce or up to 1 million total. Contact your acquiring bank for your exact classification.
What is the difference between SAQ A and SAQ D?
SAQ A is the simplest questionnaire for merchants that fully outsource all cardholder data functions to compliant third parties. SAQ D is the most comprehensive, covering all PCI DSS requirements, for merchants that store, process, or transmit cardholder data and do not fit other SAQ categories.
Do Level 4 merchants need to be PCI compliant?
Yes. All merchants that accept payment cards must comply with PCI DSS regardless of transaction volume. Level 4 merchants have streamlined validation requirements (SAQ instead of QSA assessment), but the underlying security requirements apply in full.
How much does PCI DSS compliance cost by merchant level?
Costs vary significantly: Level 1 QSA assessments typically range from $50,000 to $500,000+. Level 2-3 SAQ completion and ASV scans may cost $5,000 to $50,000. Level 4 merchants with simple setups may spend $1,000 to $10,000. Costs depend on environment complexity and scope.
Can my merchant level change?
Yes. Merchant levels can change due to transaction volume growth, acquirer reclassification, or security incidents. Merchants that suffer a data breach are typically elevated to Level 1 regardless of volume. Your acquirer can also elevate your level based on risk considerations.
Which SAQ do I need for e-commerce?
E-commerce merchants typically need SAQ A if they fully outsource payment processing (e.g., redirect to PayPal/Stripe hosted page), SAQ A-EP if they have a website that can impact payment security (e.g., embedded iframe), or SAQ D if they directly handle cardholder data.
Generate PCI DSS policies automatically
PoliWriter creates all the policies you need for PCI DSS compliance, customized to your organization. AI-powered, audit-ready, hours not months.
Get Started Free