Understanding PCI DSS Compliance Levels: A Comprehensive Guide

Understanding PCI DSS compliance levels is quite simple. Long story short, PCI DSS (Payment Card Industry Data Security Standard) compliance operates on four distinct levels. Businesses classified at Level 1 require the maximum amount of compliance and adherence to controls, and Level 4 requires relatively fewer external validation requirements.

In this guide, we will break down all four PCI DSS compliance levels and offer a step-by-step validation roadmap and practical tips to streamline your program, so you can secure cardholder data with confidence.

What are PCI DSS compliance levels?

PCI DSS categorizes organizations based on their annual transaction volume and determines validation requirements accordingly. However, merchants and service providers follow different classification systems - merchants have four levels while service providers have only two levels.

Merchant Levels (4 Levels)

Level 1 applies to merchants processing more than six million credit or debit card transactions each year across all channels. It also applies to any organization of any size that has suffered a credit card data breach.

Due to the high volume and increased risk, Level 1 organizations must undergo an annual, on-site audit known as a Report on Compliance (RoC), conducted by a PCI SSC–approved Qualified Security Assessor (QSA). In addition, they must perform quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). While this process requires the most time and resources, it provides the strongest protection against data breaches and enhances your credibility and customers' trust.

Level 2 comprises merchants processing between one million and six million transactions per year. These organizations can complete a Self-Assessment Questionnaire (SAQ) rather than a full RoC, and they still need to run quarterly external scans. This path allows mid-sized merchants to maintain robust security without the overhead of an external audit, striking a balance between cost control and risk management.

Level 3 covers merchants who transact between 20,000 to 1 million e-commerce transactions annually. Similar to Level 2, Level 3 entities complete an SAQ tailored to their payment processing methods and perform quarterly vulnerability scans. Although they handle fewer transactions, they remain at significant risk of breaches, making regular assessments essential.

Level 4 applies to merchants processing fewer than 20,000 e-commerce transactions per year, as well as all other merchants processing up to one million total transactions annually. These lowest-volume merchants also complete an SAQ and quarterly scans. However, banks or card brands may impose additional requirements—even at this level—to address specific risks. Although the compliance path here is the lightest, underestimating the need for proper controls can still result in substantial fines and reputational damage.

Service Provider Levels (2 Levels Only)

Unlike merchants, service providers are classified into only two levels, not four. Service providers are businesses that store, process, or transmit cardholder data on behalf of other organizations or provide services that could impact cardholder data security.

Level 1 Service Provider applies to service providers that store, process, or transmit more than 300,000 credit card transactions annually. These organizations require:

• Annual Report on Compliance (RoC) by a Qualified Security Assessor (QSA)
• Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV)
• Attestation of Compliance (AoC) form

Achieving Level 1 compliance enables service providers to appear on Visa's Global Registry of Approved Service Providers.

Level 2 Service Provider applies to service providers that store, process, or transmit 300,000 or fewer credit card transactions annually. These organizations require:

• Annual Self-Assessment Questionnaire (SAQ D) specific to service providers
• Some payment brands or acquiring banks may still require a RoC
• Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV)
• Attestation of Compliance (AoC) form

Major components of PCI DSS compliance reporting

Although the specific reporting requirements vary by level, every PCI DSS compliance program relies on a core set of components that serve both as audit deliverables and practical risk-management tools:

Policies and documentation‍

At the foundation of any compliance effort are written policies, network and data flow diagrams, and system configuration records. By mapping how cardholder data moves through your infrastructure and who is responsible for each control, you create clarity for auditors—and for your internal teams—reducing ambiguity when incidents occur.

Quarterly vulnerability scans‍

Approved Scanning Vendors (ASVs) perform external scans of your public-facing assets at least every three months. These scans identify known vulnerabilities such as outdated software, missing patches, or misconfigured firewalls. Addressing these issues proactively prevents attackers from exploiting weak points that could lead to data breaches.

Audit reports (RoC) or SAQs

RoC: For Level 1 entities, a QSA or an ISA to conduct an extensive on-site audit, testing technical and administrative controls against all 12 PCI DSS requirements and hundreds of testing procedures. The resulting Report on Compliance includes an executive summary, detailed findings, remediation plans, and an Attestation of Compliance signed by both the QSA and the merchant/service provider’s executive leadership.

SAQ: For Levels 2–4, organizations select the SAQ version that matches their environment (for example, SAQ A for wholly outsourced e-commerce or SAQ C for payment applications connected to the internet). The SAQ is a structured questionnaire where you affirm control implementation and attach evidence such as scan reports or policy documents.

Attestation of compliance‍

Alongside a RoC or SAQ, you must submit a formal Attestation of Compliance (AoC) to your acquiring bank or card brands. This document certifies that your organization has reviewed and met all relevant PCI DSS requirements, providing financial partners with assurance that you manage cardholder data securely.

Additional testing and documentation‍

Many organizations also conduct annual penetration tests and maintain an incident response plan, vulnerability management policy, and change-control procedures. While these measures may not be explicitly required for lower levels, they reinforce your security posture and streamline future assessments by demonstrating a mature risk management process.

Understanding the validation requirements for each PCI DSS level

Knowing your compliance level helps you allocate budget, staff time, and external resources effectively.

Level 1: RoC and quarterly scans

Level 1 validation involves a full, on-site audit performed by a PCI SSC–approved QSA. The assessor examines every control in the PCI DSS framework, from firewall configuration and encryption to access-control policies and logging procedures. 

You will need to gather extensive evidence, including network diagrams, system configuration files, and security policies. At the end of the audit, the QSA issues a RoC detailing any gaps, required remediation actions, and a formal AOC signed by the merchant’s executive officer. 

In addition, you must run quarterly external vulnerability scans and submit the scan reports. The total process—from planning and data collection to remediation and final report submission—typically takes four to eight weeks. Although this path involves the most significant effort, it delivers the highest level of assurance to stakeholders and card brands.

Levels 2 and 3: SAQ and quarterly scans

Organizations in Levels 2 and 3 complete an SAQ  appropriate to their environment. The SAQ is divided into sections corresponding to PCI DSS requirements, and you answer each question by selecting “yes,” “no,” or “N/A,” while providing supporting evidence for compliance assertions. For example, if you indicate that multi-factor authentication is in place, you should attach screenshots or configuration settings that show MFA enforcement.

After completing the SAQ, you must also perform quarterly ASV scans and retain the scan reports. Although you conduct these activities internally, many organizations engage third-party consultants to review SAQ responses, ensuring accuracy and completeness. The SAQ process typically takes two to four weeks from start to finish.

Level 4: Tailored SAQ and quarterly scans

Level 4 merchants often select SAQ A (for fully outsourced e-commerce) or SAQ D (for merchants with on-site data storage). While the SAQ structure is similar to Levels 2 and 3, you may need to provide additional documentation, such as merchant-provided flow diagrams or bank-required attestation addenda. Quarterly ASV scans remain mandatory. 

Due to the lower transaction volume, many Level 4 organizations can achieve compliance in as little as two weeks, provided they already have basic security controls in place.

Across all levels, maintaining continuous evidence—such as system logs, change-management records, and penetration-test reports—ensures that your compliance artifacts are ready at any time, reducing last-minute scrambles when assessments are looming.

SAQ vs. RoC: What’s the difference, and which one do you need? 

Although both the SAQ and RoC demonstrate your commitment to PCI DSS, they differ significantly in scope, cost, and assurance level:

PCI DSS compliance checklist

To help you organize your efforts, here is a concise checklist tailored to each PCI DSS compliance level:

1. Determine your level

1. Review your total card transactions over the past 12 months.
   
   
2. Confirm service provider status and any breach history.
   

2. Select validation method

1. Level 1 →  RoC + quarterly scans.
   
   
2. Levels 2–4 → Appropriate SAQ + quarterly scans, may require RoC.
   

3. Gather documentation

1. Network diagrams, data flowcharts, and system inventories.
   
   
2. Security policies, incident response plans, and change management procedures.
   

4. Perform gap analysis

1. Map existing controls to each of the 12 PCI DSS requirements.
   
   
2. Identify gaps, assign remediation tasks, and prioritize based on risk.
   

5. Implement remediation

1. Configure firewalls and network segmentation to isolate card data.
   
   
2. Deploy encryption for data in transit and at rest.
   
   
3. Enforce strong access controls and multi-factor authentication.
   
   
4. Establish robust logging, monitoring, and vulnerability management processes.
   

6. Complete validation

1. RoC: Schedule the QSA audit, provide evidence, and review draft findings.
   
   
2. SAQ: Answer each questionnaire item truthfully, attach evidence, and consider third-party review.
   

7. Submit attestation

1. Prepare the  AoC or QSA-signed RoC.
   
   
2. Submit to your acquiring bank and any card brands as required.
   

8. Maintain continuous compliance

1. Run quarterly ASV scans and address new findings promptly.
   
   
2. Update your SAQ or RoC annually.
   
   
3. Review policies and incident response plans at least once a year or after significant changes to your environment.
   

Typical timeline for PCI DSS assessments

Realistic planning is essential to avoid last-minute rushes and to allocate internal and external resources effectively. A typical timeline might look like this:

Automating PCI DSS compliance with Scrut

Manual compliance management can be labor-intensive, error-prone, and difficult to scale. That’s where a compliance automation platform like Scrut becomes invaluable, turning compliance into a continuous, transparent program.

• Pre-configured PCI DSS v4.0 controls
  Scrut provides a comprehensive policy library containing around 150 pre-built policies, each already mapped to specific PCI DSS requirements, so you can establish your information security program within minutes rather than weeks. These controls are maintained and updated by Scrut’s in-house PCI DSS experts, giving you confidence that every control reflects the latest standard—whether you're at PCI DSS Level 1 or Level 4.
  

• Real-time control monitoring
  With Scrut’s continuous monitoring engine, you see gaps and critical issues as they arise through automated, configurable alerts—eliminating blind spots between quarterly scans. This real-time visibility helps your security and compliance teams prioritize remediation on the highest-risk items first, ensuring you stay audit-ready every day.
  

• Automated evidence collection
  Scrut integrates with multiple widely-used applications and infrastructure tools to automatically gather the evidence required for each PCI DSS control, transforming a traditionally manual process into a seamless pipeline. Rather than hunting for screenshots or log exports, your team can rely on Scrut to pull in configuration settings, scan results, and policy documents directly into the compliance dashboard.
  

• Collaborative evidence management
  Scrut’s platform centralizes all compliance artifacts—scan reports, policy versions, and configuration snapshots—in a single workspace that you can share with QSAs, internal auditors, or other stakeholders. Through role-based access controls and real-time dashboards, everyone involved can review evidence, leave comments, and sign off on controls without emailing files or scheduling separate meetings.

By integrating Scrut into your security operations, you transform PCI DSS from an annual scramble into an ongoing program that enhances your overall cybersecurity posture—regardless of your PCI DSS levels. See how it works in action. Schedule a demo with Scrut today.