PCI Compliance Levels: Which One Are You?

Reviewed by James Torres, QSA, CISM

PCI DSS compliance levels are determined solely by annual card transaction volume. Level 1 (over 6 million transactions) requires mandatory QSA audits, quarterly ASV scanning, and annual penetration testing, with total compliance costs of $50,000 to $150,000+ annually. Level 2 (1 to 6 million) requires audits in most cases plus scanning and testing, costing $20,000 to $50,000. Level 3 (20,000 to 1 million) permits self-assessment, costing $5,000 to $20,000. Level 4 (under 20,000) carries minimal verification requirements at $1,000 to $5,000 annually. Using payment processors to shift transaction handling is a legitimate strategy to maintain a lower compliance level.

Your acquiring bank or payment processor told you which PCI compliance level you fall into. You need to understand what that classification actually means for your obligations, your cost, and how often you'll be audited. The difference between Level 1 and Level 4 is enormous — a Level 1 merchant processing millions of transactions annually faces mandatory third-party audits and stringent verification requirements, while a Level 4 merchant processing fewer than 20,000 transactions annually can self-assess. The cost difference is equally dramatic. Your level determines your compliance obligations and cost more than any other single factor in the PCI framework.

Your level is determined solely by transaction volume — the number of card transactions you process in a given year. It's not based on how much card data you actually handle, how sophisticated your systems are, or how much revenue you generate. A business that processes millions of low-value transactions is Level 1. A business that processes a handful of high-value transactions might be Level 3 or 4. The card networks created this tiering system because higher transaction volumes create higher risk exposure, and therefore higher verification requirements are justified.

Level 1: The Most Stringent Requirements

Level 1 merchants process more than 6 million card transactions annually. These are national retailers, large e-commerce operations, multinational corporations, and significant payment processors.

A Level 1 merchant must undergo a mandatory annual third-party audit conducted by a Qualified Security Assessor — an independent firm certified by the PCI Council. This is a full audit where a professional examines your systems, tests your controls, and issues a formal report. Costs typically range from $15,000 to $50,000 or higher depending on environment complexity. A large multinational might spend $100,000+ on an annual audit.

Beyond the annual audit, Level 1 merchants must complete quarterly vulnerability scans conducted by an Approved Scanning Vendor — automated assessments looking for known vulnerabilities, unpatched software, and misconfigurations, costing approximately $1,000 to $5,000 per quarter.

Level 1 merchants must also conduct annual penetration testing, where qualified security professionals attempt to attack your systems to find vulnerabilities that automated scanning might miss. Penetration testing costs range from $3,000 to $15,000 depending on scope and complexity.

All of this is in addition to internal labor costs. A Level 1 merchant needs dedicated staff or contractors to maintain PCI compliance — managing the audit process, coordinating with the QSA, remediating findings, managing scanning vendors, overseeing penetration testing, maintaining policies, ensuring training, managing incident response planning, and handling day-to-day operations. The Verizon 2023 Payment Security Report found that only 43% of organizations maintained full PCI DSS compliance between annual assessments — meaning the majority are investing in compliance during audit season and letting controls drift the rest of the year, which increases costs through remediation cycles.

For a Level 1 merchant, total first-year compliance costs typically run $50,000 to $150,000 or more. Subsequent years might be $30,000 to $100,000 annually because you're maintaining what you've built rather than doing initial implementation. The card networks impose these requirements because at this transaction volume, the financial exposure from a breach is massive — a stolen database from a Level 1 merchant could compromise millions of card accounts, and the cost to card networks of dealing with that breach far exceeds the cost of requiring audits. The requirements step down significantly for merchants processing fewer transactions.

Level 2: Mid-Size Merchants

Level 2 merchants process between 1 and 6 million card transactions annually — successful mid-market retailers, growing e-commerce businesses, mid-size payment processors.

Requirements for Level 2 vary by card network. Visa requires Level 2 merchants to complete annual third-party audits. Mastercard, American Express, and Discover typically allow self-assessment if certain other requirements are met. This is one area where card networks haven't achieved complete harmonization. Your acquiring bank will specify your requirements.

Most Level 2 merchants complete annual third-party audits anyway, even if not required by their primary card network, because their acquiring bank requires it as a condition of processing or because they plan to grow into Level 1 and want audit process familiarity.

All Level 2 merchants must complete quarterly vulnerability scanning and annual penetration testing — same scope and cost ranges as Level 1. All Level 2 merchants must comply with all 12 PCI DSS requirements without exception. Nothing is waived for mid-market companies.

For Level 2 merchants requiring annual audits, total annual compliance costs typically fall in the $20,000 to $50,000 range, with first-year costs potentially higher for initial control implementation. If your acquiring bank allows self-assessment, costs might be $10,000 to $30,000 annually by eliminating the audit fee. Many Level 2 merchants view this as the sweet spot — enough regulatory burden to justify a dedicated compliance effort but not so expensive that it drags on the business. The trade-off lightens further at Level 3.

Level 3: Self-Assessment Permission

Level 3 merchants process between 20,000 and 1 million card transactions annually — growing businesses, small chains, many service-based businesses that accept cards.

Level 3 merchants can complete self-assessment questionnaires rather than mandatory third-party audits. You fill out a PCI-provided questionnaire about your controls, sign an attestation of compliance, and submit it to your acquiring bank. Self-assessment doesn't mean compliance is optional or easier — you still implement all controls correctly and answer the questionnaire accurately. But you're not paying $20,000+ for an auditor to verify your answers.

Level 3 merchants must still complete quarterly vulnerability scanning, though some acquiring banks allow self-conducted scans rather than requiring an approved vendor. Penetration testing may or may not be required depending on your acquiring bank — clarify this in your merchant agreement or by asking your processor directly.

Level 3 merchants must comply with all 12 PCI DSS requirements. The difference is verification methodology, not control requirements.

Annual compliance costs for Level 3 typically run $5,000 to $20,000 depending on whether penetration testing is required and whether vulnerability scanning is conducted in-house or outsourced. This is significantly cheaper than Level 2. The requirements lighten further at the smallest merchant level.

Level 4: Minimal Verification

Level 4 merchants process fewer than 20,000 transactions annually — small businesses, professional services firms, restaurants, retail shops, and virtually any organization accepting a small number of credit cards.

Level 4 requirements are the lightest. You complete a self-assessment questionnaire and submit an attestation of compliance. No mandatory third-party audits. No mandatory quarterly scanning by approved vendors, though your acquiring bank might still require it. Penetration testing is rarely required.

This doesn't mean Level 4 merchants are exempt from the 12 PCI DSS requirements. You still need to implement network segmentation if you have card data, encryption if you store it, access controls if multiple people can access it, and monitoring if you have systems. The difference is you verify your own compliance rather than paying an independent auditor.

Level 4 compliance can cost as little as $1,000 to $5,000 annually if your environment is simple and you're maintaining controls correctly. Many Level 4 merchants accomplish compliance with minimal consulting help because they're using payment processors or point-of-sale systems that handle most of the compliance complexity. The Level 4 sweet spot is simplicity — if you're using a modern payment processor and not storing card information in your own systems, your PCI scope shrinks dramatically and costs become minimal.

How Transaction Volume Is Calculated

Your compliance level is determined by total transaction volume across all card networks in the prior 12 months — Visa, Mastercard, American Express, Discover, and any other networks you process. Your acquiring bank tracks transaction volume and notifies you of your level.

This is purely quantitative. A merchant becomes Level 2 the moment they hit 1,000,001 transactions in a rolling 12-month period. An organization at 999,999 transactions is Level 3. This creates scenarios where some organizations deliberately use payment processors to keep transaction volume off their own systems and stay in a lower compliance level. Instead of processing cards directly, they use a hosted payment page where a processor handles the transactions. The transactions still happen, but they don't count toward the merchant's PCI level because the processor is handling them. This is legitimate scope reduction — you're shifting PCI responsibility to someone better equipped to handle it at scale, not evading compliance.

Level Transitions

As transaction volume increases, your compliance level may increase. Moving from Level 4 to Level 3 is relatively painless — self-assessment questionnaires are still permitted. Moving from Level 3 to Level 2, or Level 2 to Level 1, introduces more rigorous requirements.

The most expensive transition is Level 2 to Level 1 because it adds the mandatory third-party audit. If you're approaching a level increase, understand what the next level requires and budget accordingly before reaching the threshold. Some organizations deliberately constrain transaction volume to avoid higher compliance levels by using payment processors for certain transaction types — a legitimate business decision if the economics work.

When you move to a higher level, card networks typically give a grace period to demonstrate compliance at the new level — usually within a year to complete the required assessment.

Misclassification

Your acquiring bank is responsible for correctly classifying your compliance level. Most acquiring banks are careful about classification because misclassification exposes them to penalties from card networks.

If you're classified too high, you're paying for compliance requirements you don't actually face. If classified too low, your acquiring bank will eventually discover it through transaction reporting and require retroactive remediation. Self-report your volume accurately. If you dispute your classification, ask your acquiring bank to review it and provide documentation of transaction volume. The time to challenge is when you first receive the classification, not 18 months later during an audit.

You now know which level you fall into, what compliance requirements your level imposes, and roughly what compliance should cost. This lets you evaluate whether a vendor's proposal for $100,000 in controls makes sense for your transaction volume — it probably does for Level 1, it doesn't for Level 4. You can now talk to your acquiring bank or a compliance consultant from a position of knowledge instead of uncertainty.

Frequently Asked Questions

Can a Level 4 merchant be required to complete a Level 1 audit?
Yes. If a Level 4 merchant experiences a data breach, the card networks and acquiring bank can require a full QSA audit regardless of transaction volume. Post-breach assessments are mandatory and follow Level 1 audit requirements. Additionally, some acquiring banks impose stricter requirements on merchants in high-risk categories (gambling, adult entertainment, etc.) regardless of transaction volume.

Do e-commerce transactions count differently than in-store transactions?
Transaction volume is calculated as total transactions regardless of channel. However, e-commerce transactions create different PCI scope requirements because they involve internet-facing systems. A merchant processing 500,000 in-store transactions and 500,000 e-commerce transactions is Level 3 by volume, but their compliance scope includes both the in-store POS environment and the e-commerce platform. PCI DSS 4.0 introduced additional requirements specifically for e-commerce payment pages.

What happens if we're classified at one level by Visa and another by Mastercard?
This is possible because each card network sets its own thresholds and requirements. In practice, you comply with the most stringent requirement applicable. If Visa classifies you as Level 1 and Mastercard as Level 2, you complete the Level 1 audit (which satisfies both). Your acquiring bank typically communicates the highest applicable requirement.

How does PCI DSS 4.0 change the compliance level requirements?
PCI DSS 4.0 (effective March 2025 for all requirements) does not change the transaction volume thresholds for levels. It does introduce new control requirements that apply across all levels, including enhanced authentication requirements, expanded logging and monitoring, and new e-commerce security controls. The compliance obligations within each level have increased, but the level classifications themselves remain the same.

Can we split our business into separate entities to stay at lower compliance levels?
Card networks and acquiring banks look at this carefully. Splitting a single business into multiple legal entities to artificially reduce transaction volume per entity is considered structuring and may result in the card network or acquiring bank consolidating volumes and assigning the higher level. Genuinely separate businesses with independent operations and separate acquiring relationships are classified independently. The distinction is whether the split has legitimate business purpose beyond compliance level reduction.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about PCI DSS as of its publication date. Standards, costs, and requirements evolve — consult a qualified compliance professional for guidance specific to your organization.