PCI Compliance Levels (Level 1–4)

PCI compliance levels (1–4) classify merchants by annual card transaction volume, determining audit requirements: Level 1 (>6M Visa/Mastercard transactions/year) requires annual on-site QSA audit + quarterly network scans; Levels 2–4 (fewer transactions) use Self-Assessment Questionnaires (SAQs). Defined by the PCI Security Standards Council at pcisecuritystandards.org and enforced through card network merchant agreements.

The PCI Security Standards Council (founded by Visa, Mastercard, Amex, Discover, and JCB) sets compliance levels that determine the validation effort required of each merchant — based on transaction volume, breach history, and card-network discretion. See pcisecuritystandards.org/document_library for the official standard documentation. Level 1: Merchants processing more than 6 million Visa or Mastercard transactions annually, OR any merchant that has suffered a breach, OR any merchant classified as Level 1 by a card network at its discretion. Required: annual on-site audit by a Qualified Security Assessor (QSA) or internal auditor (for certain Level 1 merchants); quarterly network vulnerability scans by an Approved Scanning Vendor (ASV); annual penetration test. Typical compliance cost: $50,000–$300,000 annually. Level 2: 1–6 million Visa transactions per year (or 1–6 million Mastercard transactions). Required: annual Self-Assessment Questionnaire (SAQ) + quarterly ASV scan. Less onerous than Level 1 but still requires documented policies and controls. Level 3: 20,000–1 million e-commerce transactions per year. Required: annual SAQ + quarterly ASV scan. Focus on e-commerce specific controls. Level 4: Fewer than 20,000 e-commerce transactions/year, OR up to 1 million total transactions/year for non-e-commerce merchants. Required: annual SAQ (typically SAQ-A, SAQ-B, or SAQ-C depending on payment acceptance method); quarterly ASV scan recommended. Most small businesses fall into Level 4. The FTC has brought enforcement actions against merchants with inadequate cardholder data security under 15 U.S.C. § 45 (FTC Act Section 5). See ftc.gov/tips-advice/business-center/guidance/complying-credit-card-act for FTC guidance on payment data security.

Examples

Frequently asked questions

How do I know what PCI compliance level I'm at?

Add up your annual Visa transactions (then check Mastercard separately — they have similar but slightly different tier definitions). Most small businesses processing under 1 million transactions/year are Level 4. If you've had a breach, your card network may classify you as Level 1 regardless of volume. Contact your acquiring bank or payment processor to confirm your assigned level.

What happens if I don't complete my PCI compliance validation?

Non-compliance with validation requirements (SAQ, ASV scans, QSA audit) triggers monthly fines of $5,000–$100,000 from your acquiring bank, potential rate increases, and eventual termination of card acceptance if you don't remediate. More critically, if a breach occurs while non-compliant, you bear full liability for fraudulent charges on all exposed cards — chargeback costs, card replacement fees, and forensic investigation costs.

Does using Stripe or Square mean I'm PCI compliant?

Using a fully hosted payment page (Stripe Checkout, Square POS) puts you in the smallest PCI scope (Level 4, SAQ-A) — significantly reducing your compliance burden. But 'reduced scope' doesn't mean 'no obligation.' You still must complete the SAQ-A annually and certify compliance. Stripe and Square's infrastructure handles most of the technical controls; your responsibility is the operational controls (employee access, physical security, no custom code storing card data).

Related terms

Further reading