What are the 4 PCI DSS levels? A practical breakdown for businesses

The cost of payment data breaches is rising fast. According to IBM’s 2023 Cost of a Data Breach Report, the average global breach cost reached $4.45 million—a figure that’s expected to grow as fraudsters target increasingly complex payment ecosystems. For businesses that handle credit or debit card data, compliance with PCI DSS (Payment Card Industry Data Security Standard) remains one of the most effective ways to protect sensitive customer information and maintain trust.

But not every business has the same obligations. PCI DSS compliance is not one-size-fits-all. That’s where PCI DSS levels come in—a tiered system that determines how much oversight and validation your organization needs based on the volume of card transactions you process annually.

Whether you’re a startup processing a few thousand online payments or an enterprise handling millions of card-present transactions across regions, your PCI level dictates your responsibilities—everything from whether you need an annual audit to what kind of documentation and testing is required.

And with PCI DSS v4.0 in effect, the stakes are even higher. The latest updates introduce more flexible frameworks for compliance, but also raise the bar on accountability and security expectations. If you’re unclear on how your level influences your path to compliance, this guide to PCI DSS v4.0 outlines the key changes and how to prepare for 2025.

What is PCI DSS and who does it apply to?

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to ensure that businesses process, store, and transmit credit card data in the most secure way possible. First introduced in 2004 by the PCI Security Standards Council (PCI SSC)—a consortium formed by major card networks including Visa, Mastercard, Discover, American Express, and JCB—PCI DSS applies to any organization that handles cardholder data, regardless of size or industry.

Whether you’re an e-commerce business, a point-of-sale merchant, a SaaS platform offering subscription billing, or a service provider storing payment credentials for clients, PCI DSS compliance is mandatory if card data touches your systems.

Non-compliance can lead to:

• Hefty fines from acquirers and card networks
• Termination of merchant accounts
• Increased risk of data breaches and fraud
• Reputational damage and loss of customer trust
  

In short, PCI DSS is not optional—it’s a contractual obligation for any entity within the payment ecosystem, and its scope continues to evolve with industry threats. The rollout of PCI DSS v4.0, for example, reflects a shift toward a more flexible and risk-focused approach, making it even more crucial for businesses to understand where they stand in the compliance spectrum.

What are the PCI DSS levels?

To ensure that businesses follow the appropriate path to compliance, PCI DSS classifies merchants and service providers into levels based on annual transaction volume. These levels help define the type and intensity of validation required—ranging from self-assessment questionnaires (SAQs) to on-site audits by a Qualified Security Assessor (QSA).

Here’s how the four levels typically break down for merchants:

Level	Annual Transactions (Visa/Mastercard)	Validation Requirements
Level 1	Over 6 million transactions	Annual ROC by QSA + quarterly ASV scans
Level 2	1 to 6 million transactions	SAQ (or ROC at acquirer’s discretion) + scans
Level 3	20,000 to 1 million e-commerce transactions	SAQ + quarterly scans
Level 4	Fewer than 20,000 e-commerce or up to 1 million total	SAQ (recommended), requirements vary by acquirer

Why do these levels exist?

Not all businesses carry the same risk. A company handling millions of card transactions is a bigger target for fraudsters and carries a higher impact if breached. PCI DSS levels help prioritize security oversight where it’s needed most—while still holding smaller businesses accountable to a baseline standard.

It’s important to note that card brands may have slight variations in how they define and enforce these levels, and your acquiring bank will ultimately inform you of your classification.

Breakdown of the 4 PCI DSS compliance levels

Your PCI DSS level determines how rigorous your compliance process needs to be—and it directly ties to the number of transactions your business processes annually. Each level reflects the potential risk exposure of your payment environment and the expectations set by card networks.

Level 1 – Over 6 million transactions annually

Level 1 is reserved for the largest merchants—typically enterprise retailers, marketplaces, or payment service providers handling more than 6 million Visa or Mastercard transactions per year. It also includes businesses that have suffered a cardholder data breach in the past, regardless of volume.

At this level, the compliance process is extensive. Businesses must complete an on-site audit by a Qualified Security Assessor (QSA), produce an annual Report on Compliance (ROC), perform quarterly vulnerability scans by an Approved Scanning Vendor (ASV), and demonstrate a mature security posture.

Given the scale of card data exposure, most Level 1 merchants rely on tokenization and secure vaulting to reduce their PCI scope. In this context, using an orchestration platform with built-in vaulting features—like Gr4vy’s—can significantly minimize risk. If you’re storing cardholder data or managing repeat payments, here’s what you need to know about how to store card data safely.

Level 2 – 1 to 6 million transactions annually

Level 2 merchants process between 1 and 6 million transactions per year across any channel. They don’t always require a full on-site audit, but they must complete a Self-Assessment Questionnaire (SAQ) and conduct quarterly ASV scans. In some cases, the acquirer or card brand may still request a ROC.

For businesses at this level, maintaining flexibility in provider selection and security infrastructure is key. Many turn to payment orchestration to consolidate providers, route transactions efficiently, and reduce their PCI footprint. By abstracting payment data through orchestration, businesses can simplify compliance and optimize their infrastructure at the same time. Here’s a helpful guide on the top benefits of using payment orchestration to stay compliant while scaling globally.

Level 3 – 20,000 to 1 million e-commerce transactions

This level applies primarily to online merchants handling 20,000 to 1 million e-commerce transactions annually. Like Level 2, the SAQ is required—usually SAQ A or SAQ A-EP—depending on how card data is collected and whether third parties are involved.

Even without a formal audit requirement, many e-commerce businesses underestimate their PCI exposure. If your platform integrates with multiple payment providers or stores payment credentials, leveraging orchestration with tokenization becomes essential to meet the evolving requirements under PCI DSS v4.0.

Level 4 – Fewer than 20,000 e-commerce or up to 1 million total transactions

Level 4 is where most small businesses start. If you’re processing under 20,000 e-commerce transactions or up to 1 million total transactions annually, you’re here.

While formal audits aren’t mandatory at this level, that doesn’t mean you’re in the clear. Smaller businesses often have less robust infrastructure, which makes them attractive targets for fraud. Acquirers may impose their own requirements, and you’re still responsible for submitting an SAQ and, in some cases, passing quarterly vulnerability scans.

This is where a payment orchestration platform adds real value—it allows smaller merchants to outsource PCI-sensitive functions while focusing on growth. Orchestration helps keep your card environment clean and ensures you don’t take on more risk—or compliance work—than you need to.

How to determine your PCI level

Understanding your PCI DSS level isn’t always straightforward—especially if you process payments through multiple providers or across different channels like in-store and online. The most common way to determine your level is by calculating your annual volume of Visa and Mastercard transactions, as these two networks set the standard thresholds.

But it’s not just about volume. You could also be bumped to Level 1 if:

• You’ve experienced a data breach or security incident
• A card brand or acquirer specifically reclassifies you
• You operate in a high-risk vertical, like travel or digital services
  

To get an accurate assessment, work with your acquiring bank or PSP, who will provide guidance based on your processing activity. It’s also important to regularly reassess your level—particularly if your business is scaling rapidly or shifting from domestic to international sales.

And remember: different card networks may define levels slightly differently. While Visa and Mastercard use similar thresholds, others (like Amex or Discover) may have separate requirements, especially for service providers.

Key compliance requirements by level

Once you know your PCI levels, the next step is understanding what’s expected from a compliance standpoint. Requirements vary not just in depth—but in documentation, validation, and testing frequency.

Here’s what to expect at each level:

Level 1

• On-site audit by a QSA
• Full Report on Compliance (ROC)
• Quarterly ASV scans
• Internal and external penetration testing
• Continuous monitoring and incident response program

Levels 2 and 3

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly vulnerability scans from an ASV
• Evidence of remediation for vulnerabilities
• Implementation of logging and access control policies

Level 4

• SAQ (type determined by card data flow and collection method)
• ASV scans (if required by your acquirer)
• General adherence to PCI DSS best practices
  

If you’re unsure which SAQ version applies to your setup, that’s a sign you should consider simplifying your architecture. Many businesses choose to reduce PCI scope by using orchestration layers or third-party vaulting services. This strategy limits where cardholder data flows—cutting down on requirements, audit burden, and potential risk.

If you want to dive deeper into tokenization and orchestration’s role in reducing PCI complexity, check out this detailed breakdown on how to store card data safely.

Why being “just compliant” isn’t enough

While achieving PCI DSS compliance is essential, it should be seen as the baseline, not the finish line. Many organizations make the mistake of treating compliance as a checkbox exercise—focusing on passing audits rather than actually securing their infrastructure.

This mindset can lead to:

• Outdated security policies that don’t evolve with new threats
• Minimal investment in fraud detection and prevention
• Higher risk of breaches due to overreliance on basic controls
  

In fact, some of the biggest payment data breaches in recent years occurred at “compliant” companies—proving that the bare minimum isn’t enough in a world of evolving fraud tactics and sophisticated cyberattacks.

Security needs to be proactive. That means regularly testing systems, investing in tokenization, segmenting networks, and training teams. Compliance can help guide that journey, but it shouldn’t be the only goal.

The role of payment orchestration in PCI DSS compliance

One of the most effective ways to manage PCI DSS responsibilities—especially across multiple regions, payment methods, or platforms—is by adopting a payment orchestration layer.

Here’s how orchestration simplifies and strengthens PCI DSS compliance:

a. Reducing PCI scope

By tokenizing card data and offloading storage to secure third-party vaults, orchestration removes your systems from the scope of many PCI DSS requirements. This drastically simplifies your audit process and lowers risk.

b. Centralized control across providers

If you use multiple PSPs or acquirers, orchestration provides a single point of control for data flow, tokenization, logging, and failover. This means fewer integrations and fewer PCI touchpoints.

c. Faster adaptation to PCI DSS v4.0

With PCI DSS v4.0 introducing new flexibility and testing requirements, orchestration gives businesses a scalable way to keep pace with changes—without major infrastructure overhauls.

If you’re preparing for more advanced compliance mandates, platforms like Gr4vy can help you stay ahead by centralizing updates, encrypting card data, and minimizing scope.

Frequently asked questions

What PCI DSS level am I?

Your level depends on your annual transaction volume per card network. Your acquirer will notify you based on your data.

What’s the difference between SAQ and ROC?

The SAQ (Self-Assessment Questionnaire) is self-validated. The ROC (Report on Compliance) is a formal audit performed by a QSA, required for Level 1 merchants.

Can a small business be Level 1?

Yes, if it experiences a breach or is reclassified by a card brand or acquirer, a small business can be subject to Level 1 requirements.

How often do I need to validate compliance?

Annually, though some activities—like ASV scans and logging—must be done quarterly or continuously.

Does PCI DSS apply to non-card payments?

No, PCI DSS specifically governs credit and debit card data. However, other regulations may apply to non-card methods like ACH or crypto.

Planning your PCI compliance strategy for 2025

In 2025, PCI DSS compliance remains one of the most critical pillars of a secure and trustworthy payments operation. But understanding your compliance level—and what’s required at each tier—is just the beginning.

As businesses expand globally, support more payment methods, and face growing regulatory complexity, platforms like Gr4vy can help reduce the PCI burden. Through tokenization, smart routing, and orchestration, you can not only maintain compliance—but improve performance, reduce risk, and future-proof your infrastructure.

Ready to streamline your PCI compliance strategy and simplify global payments? Contact Gr4vy to learn how orchestration can transform your compliance approach.

Understanding PCI DSS levels in 2025: Learn what each level means, how to comply, and how payment orchestration simplifies security and reduces scope.