PCI DSS merchant levels define a merchant's risk profile based on the annual volume of card transactions processed. The level determines which obligations apply: from autonomous self-assessment to mandatory audit by a certified QSA (Qualified Security Assessor). Understanding your level is the first step to planning compliance effectively and proportionately.
The 4 PCI DSS merchant levels: transaction thresholds
The classification by level is based on the number of card transactions processed over 12 months, summing all channels (e-commerce, POS, MOTO). The main thresholds defined by Visa and Mastercard are:
- Level 1: more than 6 million annual transactions with any network, or merchants that have suffered a data breach. Mandatory annual audit by a QSA and certified quarterly vulnerability scan (ASV).
- Level 2: between 1 and 6 million annual transactions. Annual SAQ (completed internally) and quarterly ASV scan.
- Level 3: between 20,000 and 1 million annual e-commerce transactions. Annual SAQ and quarterly ASV scan.
- Level 4: fewer than 20,000 annual e-commerce transactions or up to 1 million transactions on other channels. SAQ recommended (in many cases mandatory at the acquirer's request).
Obligations per level: from SAQ to QSA
The practical difference between levels is not just in the number of transactions: it is in the complexity and cost of compliance obligations. A Level 1 merchant must commission an annual Report on Compliance (RoC) from a certified QSA, which includes interviews, document verification and technical tests on the entire infrastructure. The cost of a complete RoC ranges between €30,000 and €150,000 depending on the size of the environment.
Level 2, 3 and 4 merchants can manage compliance via self-assessment, but the complexity of the SAQ depends on the payment architecture adopted. A Level 4 with direct checkout and an extended CDE may need to complete an SAQ D with hundreds of questions. The same merchant with tokenization and a hosted page can qualify for SAQ A and complete the self-assessment independently in a few hours.
How tokenization reduces risk regardless of level
The merchant level determines validation obligations, but does not change the security logic: the less card data is handled directly, the less surface area is exposed to attacks and compliance requirements. Tokenization with PCI Proxy EU reduces the CDE across all levels: a Level 1 merchant who tokenises PANs reduces the RoC perimeter and thus audit costs; a Level 4 merchant who tokenises can move to SAQ A.
An often overlooked aspect: the level can change following a data breach. A merchant that suffers a breach is automatically classified as Level 1 for the following years, with all the resulting audit obligations. Reducing the CDE with tokenization also reduces the probability that a breach will expose real card data, protecting the merchant from this escalation.
Frequently asked questions
How do I know my merchant level?
The level is defined by your acquirer or sponsoring bank based on the annual transaction volume you report. If you have not received explicit communication, contact your acquirer or PSP directly: they are required to inform you of the assigned level and corresponding obligations.
Does the merchant level change if I use multiple acquirers?
Yes. Total transaction volume must be summed across all acquirers and all card networks. It is not possible to "split" volume between different acquirers to stay below level thresholds: PCI DSS and scheme guidelines require considering total overall volume.
Can a Level 4 merchant complete the SAQ independently?
Yes, in most cases. The SAQ for Level 4 merchants can be completed internally without a QSA's support, provided the merchant understands the applicable requirements and can document them correctly. Some acquirers still require a qualified consultant's signature for more complex SAQs like SAQ D.
Want to simplify PCI DSS compliance whatever your merchant level? Discover PCI Proxy EU.