PCI DSS has different requirements for how you have to assess your compliance depending on the number of transactions that you store, process, or transmit on an annual basis. However, there may be other considerations, such as:
- The value of your transactions
- Whether you have had a breach
- The type of transactions (for example, higher risk transactions)
Typically though, your level will focus on the number of transactions you store, process, or transmit yourself or on behalf of your customers.
Merchant Levels
| Merchant Level | Number of Transactions (Annual) | Payment Channel | Assessment Requirements |
|---|---|---|---|
| Level 1 | 6+ Million | All Channels | Annual Onsite Assessment (RoC) by a QSA |
| Level 2 | 1 - 6 Million | All Channels | Self-Assessment Questionnaire (SAQ) by an ISA Onsite assessment by a QSA (MasterCard) |
| Level 3 | 20,000 - 1 Million | E-Commerce | Self-Assessment Questionnaire (SAQ) |
| Level 4 | Up to 1 Million | All Channels | Self-Assessment Questionnaire (SAQ) |
| Fewer than 20,000 | E-Commerce | Self-Assessment Questionnaire (SAQ) |
Service Provider Levels
| Service Provider Levels | Transaction Volume (Annually) | Assessment Type |
|---|---|---|
| Level 1 | More than 300,000 transactions | Report on Compliance (RoC) |
| Level 2 | Fewer than 300,000 transactions | Self-Assessment Questionnaire (SAQ) |