PCI DSS Compliance Levels Explained with Real-World Scenarios

Understanding PCI DSS Compliance Levels

PCI DSS sets a baseline for protecting cardholder data, while compliance levels determine how much oversight you face. Levels are primarily based on your annual transaction volume and risk profile, which affects the validation steps you must complete each year.

How levels are assigned

Card brands group merchants into four levels. Higher levels mean stricter validation. Your acquirer can also raise your level if your risk increases, such as after a security incident or rapid growth.

Typical thresholds (merchant)

• Level 1: More than 6 million transactions annually across channels, or any merchant deemed high risk or breached.
• Level 2: About 1 million to 6 million transactions annually.
• Level 3: Roughly 20,000 to 1 million annual e‑commerce transactions.
• Level 4: Fewer than 20,000 e‑commerce transactions annually, or up to about 1 million total transactions.

Thresholds can vary by brand, so you should confirm expectations with your acquirer. Service providers follow separate levels; this article focuses on merchant validation.

Why levels matter

Your level dictates whether you complete a Self-Assessment Questionnaire (SAQ) or undergo an on-site assessment, whether a Report on Compliance (ROC) is required, and the cadence for external Network Vulnerability Scans by an Approved Scanning Vendor (ASV).

Compliance Requirements for Level 1

If you are Level 1, you face the most rigorous validation. Expect an annual on-site assessment and deeper testing to confirm that controls operate effectively across your entire cardholder data environment (CDE).

What you must submit

• Annual Report on Compliance (ROC) performed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) program participant where permitted.
• Annual Attestation of Compliance (AOC) signed and submitted to your acquirer.
• Quarterly external Network Vulnerability Scans by an Approved Scanning Vendor (ASV), with remediation and rescans until passing.

Core technical controls typically validated

• Documented scoping with data-flow and network diagrams and strong segmentation that isolates the CDE.
• Configuration hardening, secure coding, and annual penetration testing that includes segmentation testing.
• Strong authentication and access control (least privilege, MFA for administrative and remote access), robust key management, and encryption of cardholder data in transit and at rest.
• Logging, centralized monitoring, file integrity monitoring, and timely vulnerability management and patching.

Operational cadence

• Track-and-remediate findings with evidence, ticketing, and change control records.
• Maintain incident response plans with regular tabletop exercises.
• Manage third parties by obtaining their AOC and monitoring their performance.

Compliance Requirements for Level 2

Level 2 merchants usually validate through a Self-Assessment Questionnaire, though some acquirers or brands may require a ROC. You still need to demonstrate effective control operation across your in-scope systems.

What you must submit

• Annual SAQ of the correct type (for example, SAQ D for most in-scope environments, SAQ A or A-EP for e‑commerce outsourcing patterns).
• Annual Attestation of Compliance (AOC) signed by an authorized officer.
• Quarterly external Network Vulnerability Scans by an ASV when you have internet-facing systems.

Choosing the right SAQ

• SAQ A: Fully outsourced e‑commerce or mail/telephone order with no cardholder data touching your systems (e.g., hosted payment page or embedded iFrame).
• SAQ A-EP: Your website can impact the payment page (e.g., it hosts or controls scripts) even if it doesn’t receive card data.
• SAQ B/B-IP/C/C-VT/P2PE: For specific terminal or virtual terminal scenarios; consult your acquirer to confirm eligibility.

Control expectations

• Maintain secure configuration, patching, and vulnerability management with risk-based prioritization.
• If your environment stores, processes, or transmits card data or can impact it (e.g., A-EP), perform annual penetration testing and use protective technologies such as a WAF for public-facing web apps.
• Use tokenization and point-to-point encryption (P2PE) to reduce scope where feasible.

Compliance Requirements for Level 3

Level 3 primarily covers e‑commerce merchants processing tens of thousands to under a million transactions annually. Your website architecture determines which SAQ applies and which technical safeguards are required.

E‑commerce focus

• SAQ A merchants should harden and monitor their marketing site, restrict who can change it, and ensure the payment page is truly hosted by a compliant provider.
• SAQ A-EP merchants must treat their web tier as in-scope: secure development practices, change control, WAF, file integrity monitoring, and ASV scans are standard.

What you must submit

• Annual SAQ (A or A-EP most commonly) and an AOC.
• Quarterly ASV scans for any internet-facing components you manage.
• Evidence of remediation for any discovered vulnerabilities before attesting compliance.

Compliance Requirements for Level 4

Level 4 is designed for small businesses with low transaction volumes. You still need to meet PCI DSS requirements appropriate to your setup, but validation is lighter and usually self-attested.

Streamlined validation

• Annual SAQ of the applicable type (e.g., B, B-IP, C-VT, P2PE, or A/A-EP for e‑commerce).
• Annual AOC submitted to your acquirer or payment partner.
• Quarterly ASV scans if you have internet-facing IPs or web applications.

Practical steps for small environments

• Prefer P2PE-enabled terminals and tokenization to keep card data out of your network.
• Use vendor-managed, auto-updating systems and restrict remote access with MFA.
• Maintain basic policies, staff training, secure Wi‑Fi, and timely patching on all in-scope devices.

Real-World Compliance Scenarios

1) National retailer with stores and e‑commerce (Level 1)

You process 10+ million transactions a year across channels. You complete an annual QSA-led ROC, provide an AOC, run quarterly ASV scans, and conduct annual penetration and segmentation tests. Strong segmentation keeps point-of-sale networks isolated from corporate systems.

2) Subscription e‑commerce brand using a hosted payment page (Level 3)

You redirect customers to a gateway’s hosted page and never touch card data, qualifying for SAQ A. Your focus is hardening the marketing site, limiting script injection, monitoring changes, and passing quarterly ASV scans of any internet-facing IPs you control.

3) Local café with P2PE terminals (Level 4)

You use P2PE-certified devices and a separate guest Wi‑Fi. You complete SAQ P2PE and an AOC annually. Minimal in-scope systems reduce complexity, but you still patch terminals, restrict physical access, and educate staff on card-handling procedures.

4) Small web shop after a security incident (escalated to Level 1)

After a breach, your acquirer elevates you to Level 1 despite low volume. A QSA conducts a full ROC, including forensic remediation validation, expanded sampling, and evidence reviews. You implement stronger segmentation, continuous monitoring, and revalidate before resuming normal operations.

5) Mid‑market SaaS with in‑app payments via iFrame (Level 2)

Your iFrame keeps card data out of your backend, allowing SAQ A, but your app can influence the payment page, so some brands require A-EP. You harden your build pipeline, deploy a WAF, run ASV scans, and maintain third‑party AOCs from your payment provider.

Best Practices to Maintain PCI DSS Compliance

Reduce and control scope

• Adopt tokenization and P2PE to eliminate card data from your systems wherever possible.
• Segment networks rigorously; document data flows and update diagrams with each architectural change.

Stay ahead of vulnerabilities

• Run quarterly external Network Vulnerability Scans with an ASV and remediate promptly; perform internal scans regularly.
• Conduct annual penetration testing and segmentation testing; retest after significant changes.

Strengthen identity, application, and platform security

• Enforce MFA for admins and remote access, apply least privilege, and review access quarterly.
• Harden configurations, patch systems on a defined timeline, and deploy a WAF for public web apps.

Operationalize compliance

• Build a compliance calendar to track SAQs/ROC, AOC, ASV scans, and evidence collection.
• Train staff regularly; perform phishing simulations and refresh secure-handling procedures.
• Manage vendors: collect their Attestation of Compliance and ensure contracts include PCI responsibilities.

In short, understand your PCI DSS Compliance Level, choose the right validation path (SAQ or ROC), reduce scope with strong architecture, and sustain controls through scanning, testing, monitoring, and disciplined operations.

FAQs

What determines PCI DSS compliance levels?

Your annual transaction volume, the channels you use (card-present vs. e‑commerce), and risk factors such as prior breaches determine your level. Card brands define thresholds, and your acquirer can raise your level based on risk. The level then drives whether you self-assess with an SAQ or undergo a QSA/ISA-led ROC and which artifacts (AOC, ASV scans) you must submit.

How does a Qualified Security Assessor perform an audit?

A QSA scopes your environment, reviews architecture and data flows, and examines policies and procedures. They interview staff, observe controls, sample systems, verify quarterly ASV scan results and penetration tests, and collect evidence. Findings are compiled into a Report on Compliance; after remediation, you sign an Attestation of Compliance and submit it to your acquirer.

What are the key differences between Level 1 and Level 4 requirements?

Level 1 requires an annual on-site assessment and a ROC by a QSA or, where allowed, an Internal Security Assessor, plus an AOC and quarterly ASV scans. Level 4 typically uses an SAQ and AOC with the same foundational PCI DSS controls scaled to a smaller footprint; ASV scans are still required for internet-facing systems. The main difference is validation depth and evidence rigor, not the importance of the controls.

How can small businesses ensure PCI DSS compliance?

Keep card data out of your systems with P2PE, tokenization, and hosted payment pages; choose the correct SAQ; run quarterly ASV Network Vulnerability Scans and fix issues quickly; patch all in-scope assets; enforce MFA and least privilege; train staff; and maintain vendor AOCs. Document everything and follow a compliance calendar so nothing slips.