PCI-DSS Compliance
PCI-DSS Merchant Levels 1–4: Transaction Volumes and Validation Requirements
PCI-DSS merchant levels determine the validation path your organization must follow — whether you complete a Self-Assessment Questionnaire or require a Qualified Security Assessor on-site assessment, and what ongoing scanning and testing obligations apply. Levels are defined primarily by annual card transaction volume, but card brands, acquirers, and breach history can all affect your level assignment independently of your transaction count.
How Merchant Levels Are Defined
Each card brand — Visa, Mastercard, American Express, Discover, and JCB — maintains its own merchant level definitions. While the structures are broadly similar, the specific thresholds and requirements differ across brands. A merchant that processes across multiple card brands must satisfy the most stringent applicable requirements.
The following tables reflect the Visa and Mastercard merchant level definitions, which are the most widely referenced in the North American market. Organizations processing significant American Express volume should confirm requirements directly with American Express, whose Level 1 threshold begins at 2.5 million transactions rather than 6 million.
Visa and Mastercard Merchant Levels
| Merchant Level | Annual Transaction Volume | Annual Validation Requirement | Ongoing Scanning Requirement |
|---|---|---|---|
| Level 1 | More than 6 million Visa or Mastercard transactions annually across all channels; or any merchant designated Level 1 by Visa or Mastercard following a data compromise | Annual on-site Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA) | Quarterly external vulnerability scan by an Approved Scanning Vendor (ASV); annual internal penetration test |
| Level 2 | 1 million to 6 million Visa or Mastercard transactions annually across all channels | Annual Self-Assessment Questionnaire (SAQ) with Attestation of Compliance, or QSA on-site assessment at acquirer discretion | Quarterly ASV external scan; annual internal penetration test |
| Level 3 | 20,000 to 1 million Visa e-commerce transactions annually, or 1 million to 6 million Mastercard e-commerce transactions | Annual SAQ with Attestation of Compliance | Quarterly ASV external scan |
| Level 4 | Fewer than 20,000 Visa e-commerce transactions annually, or all other Visa merchants processing fewer than 1 million transactions; Mastercard Level 4 covers merchants processing fewer than 1 million e-commerce transactions or up to 1 million total transactions | Annual SAQ with Attestation of Compliance; acquirer may set additional requirements | Quarterly ASV external scan recommended; acquirer may require it as a condition of card acceptance |
Service Provider Levels
Service providers — organizations that store, process, or transmit cardholder data on behalf of merchants, or that provide services that could affect the security of cardholder data — are classified separately from merchants. Visa defines two service provider levels based on annual transaction volume processed on behalf of merchants.
| Service Provider Level | Annual Volume Processed | Validation Requirement |
|---|---|---|
| Level 1 Service Provider | More than 300,000 Visa transactions processed annually on behalf of merchants | Annual ROC conducted by a QSA; quarterly ASV scans |
| Level 2 Service Provider | 300,000 or fewer Visa transactions processed annually | Annual SAQ D (Service Provider) with Attestation of Compliance; quarterly ASV scans |
When Transaction Volume Does Not Determine Your Level
Merchant level assignment is not purely mechanical. Three situations commonly result in level escalation outside the standard transaction-volume thresholds.
Post-Breach Level Escalation
Any merchant involved in a data compromise — regardless of transaction volume — may be designated Level 1 by Visa or Mastercard following the incident. This escalation is at the card brand’s discretion and typically requires the merchant to complete a Level 1 ROC assessment before resuming card acceptance. The escalation remains in effect for a period determined by the card brand and may be permanent depending on the severity of the incident. A merchant that was Level 4 before a breach can become a Level 1 requirement overnight.
Acquirer-Imposed Requirements
Acquirers — the banks and processors that enable merchants to accept card payments — have authority to impose stricter validation requirements than the card brand minimums. An acquirer may require a merchant to complete a QSA assessment or submit to quarterly scans regardless of transaction volume if the acquirer determines that the merchant’s environment presents elevated risk. Acquirers bear financial liability for chargebacks and breach costs associated with their merchants, which gives them a direct financial interest in enforcing compliance above the card brand floor.
Specific Payment Channels
Mastercard’s merchant level definitions differentiate between e-commerce and non-e-commerce transaction channels in ways that can result in different level assignments for the same annual transaction count depending on how transactions are accepted. Merchants with mixed channels — some in-person, some e-commerce — must evaluate their level across all applicable channel definitions. For e-commerce merchants specifically, the correct SAQ type is also heavily influenced by how the payment page is structured, independent of merchant level.
Validation Cycle: Annual Obligations at Each Level
All merchant levels share a common annual compliance cycle, but the validation mechanism and documentation requirements differ materially between levels.
Level 1 merchants must complete a full QSA assessment producing a Report on Compliance. The ROC is a detailed, auditor-produced document that attests to control effectiveness across all 12 PCI-DSS requirements. The assessment includes on-site inspection, personnel interviews, configuration review, and evidence validation. The ROC is accompanied by an Attestation of Compliance signed by both the QSA and a senior officer of the merchant organization.
Levels 2 through 4 merchants complete a Self-Assessment Questionnaire appropriate to their payment acceptance model. The SAQ is accompanied by an Attestation of Compliance. For Level 2, acquirers increasingly require that a QSA review the completed SAQ before accepting the Attestation — effectively requiring external validation even without a full ROC.
All levels that conduct quarterly ASV scans must maintain documentation of scan results and remediation of any findings. Scans with open vulnerabilities rated at CVSS 4.0 or higher cannot be submitted as passing; all findings must be remediated and the scan repeated before an Attestation of Compliance can be signed. See PCI-DSS network segmentation for how CDE scope definition affects the systems subject to ASV scanning. For detail on version 4.0 requirements that apply at all merchant levels, see PCI-DSS 4.0 changes.
Armorstack’s Support Across All Merchant Levels
The validation mechanism differs by level; the underlying security controls do not. Every merchant level requires cardholder data protection, network security, access control, logging, and vulnerability management. The difference is in how those controls are assessed and documented, not in whether they must exist.
Armorstack’s VERITY advisory team supports merchant level determination, scoping analysis, and gap assessment for organizations at all levels. SENTRY managed detection and response provides the continuous monitoring, ASV scan coordination, and log management required by Requirements 10 and 11 at all merchant levels. CORE managed IT services maintains the infrastructure controls evaluated by SAQ and QSA assessments. To assess your merchant level obligations and current compliance posture, talk to an Armorstack compliance expert or start the 90-Day Proof. For overall PCI-DSS compliance program context, see PCI-DSS compliance.