PCI DSS Merchant Compliance Levels | Secure Customer Data

Site data protection merchant levels

Category	Criteria	Requirements
Level 1	Any merchant that has suffered a hack or an attack that resulted in an Account Data Compromise (ADC) Event Any merchant having more than six million total combined Mastercard and Maestro transactions annually Any merchant meeting the Level 1 criteria of Visa Any merchant that Mastercard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system	Annual Onsite Assessment¹
Level 2	Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually Any merchant meeting the Level 2 criteria of Visa	Annual Onsite Assessment or Self-Assessment²
Level 3	Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually Any merchant meeting the Level 3 criteria of Visa	Annual Self-Assessment Onsite Assessment at Merchant Discretion³
Level 4	All other merchants⁴	Annual Self-Assessment Onsite Assessment at Merchant Discretion³

Level 1 merchants must complete an annual onsite assessment conducted by a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC certified Internal Security Assessor (ISA).
Level 2 merchants must complete an annual onsite assessment or self-assessment conducted by a PCI SSC-approved QSA or PCI SSC-certified ISA.
Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA for an onsite assessment instead of performing a self-assessment.
Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required.