PCI DSS has different requirements for how you have to assess your compliance depending on the number of transactions that you store, process, or transmit on an annual basis. However, there may be other considerations, such as:

  • The value of your transactions
  • Whether you have had a breach
  • The type of transactions (for example, higher risk transactions)

Typically though, your level will focus on the number of transactions you store, process, or transmit yourself or on behalf of your customers.

Merchant Levels

Merchant LevelNumber of Transactions (Annual)Payment ChannelAssessment Requirements
Level 16+ MillionAll ChannelsAnnual Onsite Assessment (RoC) by a QSA
Level 21 - 6 MillionAll ChannelsSelf-Assessment Questionnaire (SAQ) by an ISA
Onsite assessment by a QSA (MasterCard)
Level 320,000 - 1 MillionE-CommerceSelf-Assessment Questionnaire (SAQ)
Level 4Up to 1 MillionAll ChannelsSelf-Assessment Questionnaire (SAQ)
Fewer than 20,000E-CommerceSelf-Assessment Questionnaire (SAQ)

Service Provider Levels

Service Provider LevelsTransaction Volume (Annually)Assessment Type
Level 1More than 300,000 transactionsReport on Compliance (RoC)
Level 2Fewer than 300,000 transactionsSelf-Assessment Questionnaire (SAQ)