Compliance Requirements

PCI DSS Merchant Levels Explained (Level 1–4)

Your PCI merchant level decides how you prove compliance — a quick self-assessment or a full external audit. Here's how the four levels work and which one you're in.

Fraud Defence First
27 June 2026
6 min read

PCI DSS applies the same twelve requirements to everyone, but how you have to prove your compliance depends on your 'merchant level'. The level is set by how many card transactions you process a year, and it decides whether you can self-assess or need a formal external audit. For the full context, see our complete PCI DSS guide.

How merchant levels are decided

Each card scheme (Visa, Mastercard and the others) sets its own level criteria, but they line up closely and are based on annual transaction volume. Your acquirer tells you which level they treat you as. The four levels are, broadly:

  • Level 1 — more than 6 million card transactions a year (or any merchant that has had a breach, or that a scheme designates Level 1).
  • Level 2 — 1 million to 6 million transactions a year.
  • Level 3 — 20,000 to 1 million e-commerce transactions a year.
  • Level 4 — fewer than 20,000 e-commerce transactions, or up to 1 million total transactions a year.

One caveat: the schemes have started to diverge. Visa has streamlined its programme to three levels, folding the old Level 4 into Level 3 — so for Visa, Level 3 now covers everyone up to a million transactions a year — while Mastercard still uses all four. The practical upshot for a small business is unchanged (you self-assess with an SAQ), but the exact level label your acquirer quotes can vary by card scheme.

What each level has to do

The practical difference is the validation method. Level 1 merchants must have a formal annual assessment — carried out by a Qualified Security Assessor (QSA), or by a qualified Internal Security Assessor (ISA) on their own staff — producing a Report on Compliance (ROC), plus quarterly network scans by an Approved Scanning Vendor. Levels 2–4 generally validate with the appropriate Self-Assessment Questionnaire (SAQ) and a quarterly scan where required, though some schemes ask Level 2 merchants to have that assessment signed off by an ISA or QSA.

In other words: the smaller you are, the lighter the process. Almost every small and medium UK business is Level 4 and self-assesses — no expensive audit required.

Why your level matters

Knowing your level tells you what evidence your acquirer expects and how much work compliance involves. It also affects cost: a Level 1 ROC is a significant project, while a Level 4 SAQ can be completed quickly. If your transaction volume is climbing toward a threshold, it's worth planning ahead so a level change doesn't catch you out.

Not sure of your level or which SAQ goes with it? Our free assessment works it out from your payment setup, and our managed service handles the validation for you.

Find your merchant level and SAQ — free assessment

Need Expert PCI Compliance Help?

Our PCI compliance specialists are here to guide your business through the certification process. Get personalised advice and ensure your business stays compliant.

Get Free ConsultationBook Assessment Call
Back to All Resources