PCI DSS compliance levels
PCI DSS has four merchant levels, set by how many card transactions you process a year. Here's what each level means, what it requires — and how tokenization keeps your validation simple whatever level you're in.
Your level depends on volume — not on how hard you try
Card brands and acquirers assign a level from your annual transaction volume per brand. The higher your volume, the more rigorous your validation. A data breach can push any merchant straight up to Level 1.
Set by volume
Your annual transaction count per card brand decides your level, assigned by your acquirer.
Different validation
Level 1 needs an external audit; Levels 2–4 typically self-assess with a questionnaire.
Breach escalates
A compromise can move any merchant to Level 1 reporting, regardless of size.
PCI DSS merchant levels at a glance
| Level | Annual transaction volume | Typical validation |
|---|---|---|
| Level 1 | Over ~6M transactions/year (or any merchant after a breach) | Annual Report on Compliance (QSA) + quarterly ASV scans |
| Level 2 | ~1M–6M transactions/year | Annual Self-Assessment Questionnaire + quarterly scans |
| Level 3 | ~20,000–1M e-commerce transactions/year | Annual Self-Assessment Questionnaire + quarterly scans |
| Level 4 | Under ~20,000 e-commerce / up to 1M other transactions/year | Annual Self-Assessment Questionnaire (scans where applicable) |
Indicative thresholds — exact figures vary by card network. Confirm your level with your acquiring bank.
Your level stays — your workload shrinks
Tokenization doesn't change the level your volume puts you in, but it transforms how much you have to validate. When card data never touches your systems, most merchants qualify for SAQ A — the shortest questionnaire — at any level. PCI Proxy is itself a PCI DSS Level 1 vault, so you inherit the heavy lifting.
PCI DSS levels, answered
01 What are the PCI DSS compliance levels?
PCI DSS defines four merchant levels based on annual card transaction volume. Level 1 is the largest (broadly over 6 million transactions a year or any merchant after a breach), Level 2 is around 1–6 million, Level 3 covers roughly 20,000–1 million e-commerce transactions, and Level 4 is everyone below that. Higher levels require more rigorous validation.
02 How do I know which PCI level I am?
Your level is set by your acquirer or the card brands based on your annual transaction volume per brand. The exact thresholds vary slightly by card network, so confirm with your acquiring bank — but volume is the main driver, and a breach can push any merchant up to Level 1.
03 What does each PCI level have to do?
Level 1 merchants need an annual Report on Compliance from a Qualified Security Assessor plus quarterly scans. Levels 2–4 generally complete a Self-Assessment Questionnaire and, where card data is handled, quarterly scans. Reducing the card data you touch shrinks the questionnaire you have to complete.
04 Does tokenization change my PCI level?
Tokenization doesn't change the level your volume puts you in, but it dramatically reduces what you have to validate. Because card data never touches your systems, most merchants qualify for the much shorter SAQ A — regardless of level — making compliance far easier at any volume.
Simplify PCI at any level
Tell us your volume and how you handle cards, and we'll show how tokenization keeps your validation on SAQ A.