Your PCI DSS compliance levels decide how much work it takes to prove you are compliant. The card brands assign every merchant and service provider a level based on annual transaction volume, and that level determines whether you validate with a self-assessment questionnaire or a full external audit. This guide explains the PCI DSS compliance levels for both merchants and service providers, and how to confirm which one applies to you.

Merchant PCI DSS compliance levels
Merchants are classified into four levels, based primarily on annual card transaction volume. The exact thresholds are set by each card brand, but they broadly follow this pattern:
| Level | Roughly | Typical validation |
|---|---|---|
| Level 1 | Over ~6M transactions/year (or after a breach) | Annual ROC by a QSA + quarterly scans |
| Level 2 | ~1M–6M transactions/year | Annual SAQ + quarterly scans |
| Level 3 | ~20K–1M e-commerce transactions/year | Annual SAQ + quarterly scans |
| Level 4 | Under ~20K e-commerce (or up to 1M total) | Annual SAQ + quarterly scans |
Note: Thresholds and exact requirements vary by card brand and acquirer. Always confirm your level and obligations with your acquiring bank.
Service provider levels
Service providers (companies that process, store, or transmit card data on behalf of others) have their own levels — broadly, larger providers require an annual on-site assessment and a ROC, while smaller ones may self-assess.
Documentation for any level.
Whether you validate by SAQ or a full ROC, you need the underlying policies. The PCI DSS Toolkit gives you that complete, auditor-written set mapped to PCI DSS v4.0.
SAQ vs. ROC
- A Self-Assessment Questionnaire (SAQ) lets eligible merchants attest to compliance themselves.
- A Report on Compliance (ROC) is a formal assessment by a Qualified Security Assessor (QSA), required for the largest merchants and providers.
We cover how these fit into the full validation journey in how to become PCI DSS compliant.
There’s more than one SAQ
Crucially, there are several SAQ types (such as A, A-EP, B, C, and D), each matched to how you handle card data — for example, whether you fully outsource payments or process them yourself. Choosing the right SAQ is essential, because it determines which requirements apply to you.
How to confirm your PCI DSS compliance level
Because the card brands set the thresholds, the definitive answer to your level comes from your acquiring bank or the brands themselves, not a guess based on turnover alone. Start by totting up your annual card transactions across all channels and all brands, then ask your acquirer to confirm the level they hold you to — a recent breach or a brand’s discretion can push you up a level regardless of volume. The official criteria are maintained by the PCI Security Standards Council and each card brand. Confirming your PCI DSS compliance level early matters, because it dictates whether you complete a SAQ or commission a Report on Compliance, and that changes your whole timeline.
Frequently asked questions
How do I find my level?
Your acquiring bank or payment processor determines and confirms your level based on your transaction volume.
Can I reduce my burden?
Yes — outsourcing card handling (for example, using a hosted payment page) can qualify you for a simpler SAQ and shrink your scope.
New to PCI DSS? Start with our complete guide.
The takeaway: your PCI DSS compliance level is set by transaction volume and confirmed by your acquirer, and it drives everything downstream — the questionnaire you complete, whether you need an external assessor, and how long validation takes. Confirm it before you plan the work, and revisit it each year as your transaction volumes grow, so a jump in sales never leaves you validating at the wrong level.
