There are four different levels, each with their own requirements.
Whether you process a few payments or millions of transactions every year, you need to comply with PCI DSS requirements. The security requirements that your business needs to comply with depend on your annual transaction volumes.
Transaction volumes apply to the highest number of a single card type per year. For example, if your business processes 5,000,000 Visa and 2,000,000 Mastercard transactions annually, even though cumulatively equal 7,000,000, would qualify as Level 2.
|
Level |
Criteria for level |
Compliance requirements |
|
1 |
Any merchant processing over 6 million Visa and Mastercard or debit card transactions annually Any compromised merchant |
Annual onsite security assessment Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet |
|
2 |
Any merchant processing 1 to 6 million Visa and Mastercard or debit card transactions annually |
Annual self-assessment questionnaire Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet |
|
3 |
Any merchant processing 20,000 to 1 million Visa or Mastercard eCommerce transactions a year |
Annual self-assessment questionnaire Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet |
|
4 |
Any merchant processing fewer than 20,000 Visa or Mastercard transactions a year All other merchants processing up to one million Visa or Mastercard transactions a year |
Annual self-assessment questionnaire Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet |
For more information, visit the PCI Security Standards website.