PCI DSS Merchant Compliance Levels | Secure Customer Data

Site data protection merchant levels

Category	Criteria	Requirements
Level 1	Any merchant having more than six million total combined Mastercard and Maestro transactions annually Any merchant meeting the Level 1 criteria of Visa Any merchant that Mastercard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system	Annual PCI DSS assessment resulting in the completion of a Report on Compliance (ROC)¹
Level 2	Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually Any merchant meeting the Level 2 criteria of Visa	Annual Self-Assessment Questionnaire (SAQ)²
Level 3	Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually Any merchant meeting the Level 3 criteria of Visa	Annual Self-Assessment Questionnaire (SAQ)³
Level 4	All other merchants⁴	Annual Self-Assessment Questionnaire (SAQ)³

Level 1 merchants must undergo an annual PCI DSS assessment resulting in the completion of a ROC conducted by a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC-certified Internal Security Assessor (ISA). ↩
Level 2 merchants completing SAQ A, SAQ A-EP or SAQ D must additionally engage a PCI SSC-approved QSA or PCI SSC-certified ISA for compliance validation. Level 2 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA or PCI SSC-certified ISA to complete a ROC instead of performing an SAQ. ↩
Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA to complete a ROC instead of performing an SAQ. ↩
Level 4 merchants are required to comply with the PCI DSS, although validation of compliance to Mastercard is not required, except as required by applicable law or regulation. ↩