Cost by level
Your merchant level sets the assessment route, the controls in scope, and most of the cost. Here is what each level looks like end to end, with the volume thresholds, the documents you need, and the realistic price tag.
Updated April 2026
| Level | Volume | Assessment route | Annual cost | Timeline |
|---|---|---|---|---|
| Level 1 | Over 6 million transactions per year | Report on Compliance (ROC) by QSA | $50,000 - $500,000 | 6-12 months (first time), 3-6 months (renewal) |
| Level 2 | 1-6 million transactions per year | SAQ + quarterly ASV scans (some acquirers require QSA) | $10,000 - $50,000 | 3-6 months |
| Level 3 | 20,000-1 million e-commerce transactions per year | SAQ + quarterly ASV scans | $5,000 - $20,000 | 1-3 months |
| Level 4 | Fewer than 20,000 e-commerce or 1 million total transactions | SAQ (type depends on payment acceptance method) | $1,000 - $5,000 | 1-4 weeks |
Level 4
Fewer than 20,000 e-commerce or 1 million total transactions
$1,000 - $5,000
per year
The vast majority of merchants fall into Level 4. Requirements are determined by how you accept payments. Using hosted payment solutions like Stripe Checkout or PayPal can significantly simplify compliance.
Level 3
20,000-1 million e-commerce transactions per year
$5,000 - $20,000
per year
E-commerce focused merchants with moderate transaction volumes. Must complete the appropriate SAQ and quarterly ASV scanning. PCI DSS 4.0 added significant requirements for payment page script security.
Level 2
1-6 million transactions per year
$10,000 - $50,000
per year
Mid-tier merchants processing significant transaction volumes. Most can self-assess using the appropriate SAQ, though some acquiring banks may require a QSA assessment depending on risk profile.
Level 1
Over 6 million transactions per year
$50,000 - $500,000
per year
The highest tier of PCI compliance, required for the largest merchants and any merchant that has suffered a data breach. Requires a full on-site assessment by a Qualified Security Assessor resulting in a Report on Compliance.
You do not need to grow into a higher level for it to apply. Several non-volume triggers can reclassify you with a single notice.
| Trigger | Consequence |
|---|---|
| Annual transaction growth crossing 6M | Level 1 designation, QSA required next renewal |
| Confirmed account data breach | Treated as Level 1 by affected card brands regardless of volume |
| Acquiring bank risk decision | Level 2 merchant required to engage a QSA rather than self-assess |
| Card brand designation | Visa or Mastercard can move a merchant up a level at their discretion |
Our partner network includes QSAs and ISAs across all merchant levels. Costs vary by scope and QSA fees are quoted independently. We do not endorse a specific firm.
Most card brands set Level 4 below 20,000 e-commerce or 1 million total transactions per year, Level 3 from 20,000 to 1 million e-commerce, Level 2 from 1 to 6 million total, and Level 1 above 6 million. Visa and Mastercard publish slightly different rules, and your acquiring bank can move you up a level for risk reasons. Confirm with your acquirer before budgeting.
Continue reading