PCI Compliance Levels

Do you know your PCI compliance level? It's important that merchants understand their PCI level in order to satisfy PCI compliance requirements.

WRITTEN & RESEARCHED BY
Frank Kehl
Expert Contributor

Last updated onUpdated August 26, 2024

REVIEWED BY

Expert Contributor

Our content reflects the editorial opinions of our experts. While our site makes money through , we only partner with companies that meet our standards for quality, as outlined in our independent .

Key Takeaways

PCI compliance is divided into four levels based on transaction volume, with higher levels requiring more stringent security measures and regular audits.
Adhering to the appropriate PCI level is essential for protecting sensitive cardholder data and avoiding penalties, fines, or potential security breaches.

There are four separate levels of PCI compliance, called the PCI Merchant Risk Level System. These PCI levels are based on the total number of credit card transactions your business processes annually. Your risk for a data breach goes up as you process more transactions, requiring additional steps to maintain PCI compliance.

Knowing which PCI compliance level you fall under is critically important because your processor will require different documentation and procedures for each one. Fortunately, determining which risk level your business falls under is easy and straightforward.

For a rundown of some of our favorite providers, check out our list of the best credit card processors for small businesses.

How Do PCI Merchant Levels Work?

Your business’s PCI compliance level depends on how many retail and eCommerce transactions you process per year. Most merchants fall into level 4. Note that your level depends on the number of transactions processed per year, not the dollar amount of your transactions.

	PCI Level 4	PCI Level 3	PCI Level 2	PCI Level 1
Annual Transaction Volume (eCommerce)	Less than 20,000	20,000-1,000,000	N/A	N/A
Annual Transaction Volume (All Sales Channels)	Up to 1,000,000	N/A	1,000,000-6,000,000	More than 6,000,000

Once you find your merchant risk level, you must take certain actions, directly related to your particular level, in order to maintain PCI compliance. Not adhering to those guidelines can result in expensive PCI noncompliance fees or even a data breach.

If you slack on maintaining your PCI compliance level requirements and your small business experiences a security breach, not only will it put you and your customers at risk, but it may also result in your business being placed in a much more restrictive PCI level (Level 1).

Below, we’ll discuss the criteria and compliance requirements for all four merchant risk levels. We’ll start with merchant level 4 and work our way up, as level four has the least stringent requirements and applies to the smallest businesses.

PCI Level 4

If your business processes fewer than 20,000 eCommerce transactions annually or up to 1 million transactions across all sales channels, you’ll be in Merchant Level 4. This is the most common merchant level, and most small businesses fall under it. Note that if your business is eCommerce-only or has a significant number of online transactions in addition to traditional retail sales, you might easily find yourself at a higher merchant risk level. You’ll want to coordinate closely with your processor to ensure you’re both in agreement on which merchant level applies to your business.

Merchant Level 4 compliance requirements include:

Complete and file an annual Self-Assessment Questionnaire (SAQ) issued by the PCI Security Standards Council (PCI SSC). This can often be completed online on your processor’s website.
Complete and obtain evidence of passing a vulnerability scan with a PCI SSC-approved scanning vendor. Your merchant account provider should accomplish this step for you. Note that this requirement does not apply to all merchant types.
Complete and file the appropriate Attestation of Compliance in its entirety. This is located within the SAQ.

That’s it! As long as you keep your SAQ updated every year and your provider accomplishes the required security scans, you should have no problem maintaining PCI compliance. You can assure your customers that it’s safe to entrust you with their credit card information, and your risk of sustaining a data breach will be minimized.

For more information on Merchant Level 4 compliance requirements, please see our quick guide to PCI compliance.

PCI Level 3

If your business processes between 20,000 and 1 million eCommerce credit/debit card transactions per year, you’ll be in the Level 3 category for PCI compliance. This is basically a separate category for larger eCommerce businesses. Retail-only businesses will be in Levels 1, 2, or 4, depending on their annual card transaction volume.

Compliance requirements for Level 3 merchants include:

Complete and file an annual Self-Assessment Questionnaire (SAQ) issued by the PCI Security Standards Council (PCI SSC).
Complete and obtain evidence of passing a quarterly vulnerability scan with a PCI SSC-approved scanning vendor. This requirement applies to all merchant types.
Complete and file the appropriate Attestation of Compliance in its entirety. This is located within the SAQ.

As you can see, the only additional requirement for Level 3 merchants is that the vulnerability scans must be accomplished quarterly rather than annually.

PCI Level 2

Merchants processing between 1 million and 6 million credit/debit card transactions per year will fall under the Level 2 PCI compliance requirements. This includes transactions from both retail (including mail order/telephone order) and eCommerce sales channels. Compliance requirements are essentially the same as for Level 3 and include:

Complete and file an annual Self-Assessment Questionnaire (SAQ) issued by the PCI Security Standards Council (PCI SSC).
Complete and obtain evidence of passing a quarterly vulnerability scan with a PCI SSC-approved scanning vendor.
Complete and file the appropriate Attestation of Compliance in its entirety.

PCI Level 1

Level 1 is the highest level of PCI compliance and applies to merchants who process over 6 million credit/debit transactions per year across all sales channels. Global merchants can also be identified as Level 1 by the Security Standards Council, even if their US transactions are less than 6 million per year. It’s also very important to note that any merchant who has suffered an actual data breach that resulted in data compromise can be placed in Level 1 by the SSC.

If you’re in Level 1, you’ll have to meet the following requirements to maintain PCI compliance:

Complete and file an annual Report on Compliance (ROC) issued by the PCI Security Standards Council (PCI SSC). This requirement must be accomplished by a Qualified Security Assessor (QSA) or an internal auditor if an officer of the company signs the ROC. Completing the ROC requires on-site inspections and is much more time-consuming (and expensive) than merely filling out an online questionnaire.
Complete and obtain evidence of passing a quarterly vulnerability scan with a PCI SSC-approved scanning vendor.
Complete and file the appropriate Attestation of Compliance in its entirety.

Most large businesses that fall into Level 1 will have adequate resources to meet these requirements. However, smaller businesses placed in Level 1 following a data breach may find it very challenging to meet the additional compliance requirements. This is yet another reason to take PCI compliance seriously and avoid being placed in the Level 1 “penalty box.”

For even more information on what businesses need to do to maintain PCI compliance, read our complete guide to PCI DSS compliance.

The Bottom Line On PCI Compliance Levels

We can’t emphasize enough the importance of avoiding an actual data breach. For smaller merchants, the additional costs of suffering a breach and being placed in the Level 1 compliance category could be a serious threat to the health of your business.

We’d also like to remind you that some providers offer a more robust set of features designed to safeguard your account and keep you in compliance than others. Choosing a good provider is critically important, not just for PCI compliance but also for protecting your business from chargebacks and other problems.

Bio
Twitter
LinkedIn
Latest Posts

Frank Kehl

Expert Contributor at Merchant Maverick

Frank has been writing about payment processing and business services since 2015. He is a retired Air Force officer and a former practicing attorney. He has a Bachelor of Science degree in Psychology from The Pennsylvania State University and a Juris Doctorate degree from the Ventura College of Law.