Not all businesses face the same PCI compliance requirements. Your transaction volume determines your level—and your level determines everything from self-assessments to third-party audits.
You process credit cards. You know compliance matters. But when you look at PCI requirements, it’s not always clear which rules actually apply to your business.
The answer depends on your transaction volume. Four compliance levels exist, each with different validation requirements, different costs, and different consequences if you fall short. Figuring out where you land isn’t complicated, but getting it wrong can mean penalties, audits, or worse—losing your ability to accept cards altogether.
Here’s how to determine your PCI level based on your business volume, what each level requires, and why it matters for businesses operating in DC, Virginia, and Maryland.
PCI levels aren’t arbitrary categories. They’re based on one primary factor: how many card transactions your business processes in a 12-month period.
The Payment Card Industry Security Standards Council established four levels to match security requirements with actual risk exposure. Higher transaction volumes mean more cardholder data flowing through your systems, which means greater potential impact if something goes wrong.
Your level dictates whether you can self-assess compliance or whether you need an external auditor. It determines how often you’re scanned for vulnerabilities and what documentation you must submit to your acquiring bank. Most importantly, it defines the scope of work required to stay compliant and keep accepting cards.
When calculating your PCI level, you’re counting individual transactions, not dollar amounts. A $5 coffee purchase counts the same as a $5,000 equipment sale.
You need to include all Visa transactions processed across every channel over the past 52 weeks. That means in-store terminals, online payment gateways, phone orders, mobile payments, and any other method you use to accept cards. If you process through multiple merchant accounts or locations under the same corporate entity, those volumes get aggregated together.
What doesn’t count? Refunds, voids, and declines. Only original authorization transactions factor into your annual volume calculation.
Here’s where it gets slightly more complicated. While Visa’s framework is the most commonly referenced standard, other card brands have similar structures with minor variations. Mastercard, American Express, Discover, and JCB each maintain their own compliance programs. If you accept multiple card brands, you might technically fall into different levels for different networks.
The practical solution is straightforward: follow the strictest requirements. If one card brand places you at Level 2 and another at Level 3, meet the Level 2 requirements. That ensures you’re fully compliant across all brands and eliminates any gaps in your security posture.
Your acquiring bank—the financial institution that processes your card transactions—ultimately determines your merchant level. They review your transaction history and assign your compliance tier. If you’re unsure which level applies to you, your processor or acquiring bank can confirm it. Don’t guess. The consequences of assessing at the wrong level range from wasted resources if you’re over-complying to serious penalties if you’re under-complying.
Level 1 applies to merchants processing more than 6 million card transactions annually. This is also the level assigned to any merchant that has experienced a data breach resulting in compromised account data, regardless of transaction volume.
If you’re at Level 1, you’re facing the most stringent requirements in the framework. You must undergo an annual onsite assessment conducted by a Qualified Security Assessor. This isn’t a questionnaire you fill out yourself—it’s a comprehensive third-party audit that examines your entire cardholder data environment against all PCI DSS requirements. You’ll also need quarterly network scans by an Approved Scanning Vendor and annual penetration testing. The deliverables include a full Report on Compliance and an Attestation of Compliance signed by your QSA.
Level 2 covers merchants processing between 1 million and 6 million transactions per year. The validation requirements are less intensive than Level 1, but you’re still held to the full security standard.
Most Level 2 merchants can complete an annual Self-Assessment Questionnaire instead of undergoing a QSA-led audit. However, some acquiring banks or card brands may require QSA involvement depending on your specific situation or risk profile. You’ll still need quarterly vulnerability scans from an Approved Scanning Vendor, and you must submit an Attestation of Compliance to your acquiring bank.
Level 3 applies to merchants processing between 20,000 and 1 million e-commerce transactions annually. This level specifically focuses on online transaction volume, though the threshold can vary slightly depending on which card brand’s program you’re following.
Level 3 merchants typically complete an annual SAQ and submit quarterly vulnerability scan results. An external QSA audit isn’t required unless you choose to do one voluntarily or your acquiring bank requests it based on specific risk factors. Many businesses at this level are small to medium-sized e-commerce operations with relatively straightforward payment environments.
Level 4 is the entry tier, covering merchants processing fewer than 20,000 e-commerce transactions per year or up to 1 million transactions annually across all channels combined. Most small businesses fall into this category.
The validation requirements are the most flexible here. You’ll complete an annual Self-Assessment Questionnaire, but whether you need to submit it to your acquiring bank depends on their specific policies and the card brands you accept. Quarterly vulnerability scans may or may not be required depending on your payment setup. Some Level 4 merchants don’t need to formally validate compliance to the card brands, though you’re still expected to meet PCI DSS requirements. Your processor or acquiring bank sets those expectations.
Want live answers?
Connect with a Merchant Pro Inc expert for fast, friendly support.
A Qualified Security Assessor is an independent professional certified by the PCI Security Standards Council to validate compliance with PCI DSS. Not every business needs one, but understanding when QSA involvement becomes necessary helps you plan resources and timelines.
Level 1 merchants must work with a QSA. There’s no way around it. The annual onsite assessment and Report on Compliance can only be completed by a certified QSA or, in some cases, an Internal Security Assessor if your organization employs one.
For Level 2, 3, and 4 merchants, QSA involvement is typically optional unless your acquiring bank or a specific card brand requires it. Some banks mandate QSA validation for Level 2 merchants completing certain types of Self-Assessment Questionnaires. Others allow full self-assessment across all lower levels.
A QSA assessment isn’t a quick checklist review. It’s a comprehensive evaluation of your entire cardholder data environment, your security controls, your policies, and your operational practices.
The process typically begins with scoping. The QSA works with your team to identify every system, network segment, application, and process that stores, processes, or transmits cardholder data—or could impact the security of that data. Proper scoping is critical because it defines what gets assessed and what falls outside PCI scope.
Next comes the actual assessment. The QSA tests your controls against each applicable PCI DSS requirement. That includes reviewing firewall configurations, examining access controls, validating encryption methods, checking logging and monitoring systems, and assessing your vulnerability management processes. They’ll interview staff, review documentation, and conduct technical testing to verify that controls are implemented correctly and working as intended.
Once testing is complete, the QSA compiles a Report on Compliance. This document details your environment, describes how each requirement was tested, and confirms whether you’re compliant or identifies gaps that need remediation. Any findings must be addressed before you can close out your compliance validation for the year.
The QSA also provides an Attestation of Compliance, which is a formal declaration of your compliance status. This is what you submit to acquiring banks and card brands as proof that you’ve met PCI requirements.
The timeline for a QSA assessment varies based on the complexity of your environment, but most engagements take somewhere between four and eight weeks from kickoff to final report. Preparation can take months if you’re building controls from scratch or addressing significant gaps.
If you’re operating in the DC, Virginia, or Maryland area, your compliance approach depends on your business size, transaction volume, and industry.
Many small businesses in the region fall into Level 4. Restaurants, local retailers, professional services firms, and small e-commerce operations typically process fewer than 20,000 online transactions or under 1 million total transactions annually. For these businesses, compliance often means completing an annual SAQ and working with your payment processor to ensure your systems meet basic security requirements.
Mid-market businesses—regional chains, larger healthcare practices, growing e-commerce companies—often land in Level 3 or Level 2 territory. At this stage, compliance becomes more structured. You’re dealing with quarterly vulnerability scans, more comprehensive SAQs, and potentially QSA involvement depending on your acquiring bank’s requirements.
Larger enterprises processing millions of transactions annually face Level 1 requirements. These are typically established retail chains, major e-commerce platforms, hospitality groups, or healthcare systems. At this level, compliance is an operational discipline, not a checkbox. You need dedicated resources, ongoing monitoring, and annual third-party audits.
One factor that affects businesses across all levels in this region is the concentration of government contractors, financial services firms, and healthcare organizations. If you serve federal clients or operate in regulated industries, you may face additional security requirements beyond PCI. Understanding how these frameworks intersect—and where they overlap—can help you build more efficient compliance programs.
Your payment processor plays a significant role in your compliance journey. Some processors offer compliance support, provide tools that reduce your PCI scope, or help you navigate the validation process. Others simply pass along card brand requirements and leave implementation to you. At Merchant Processing Solutions Inc, we offer compliance support and help businesses in Maryland, Virginia, and DC meet the requirements for their specific level.
Your transaction volume determines your PCI level. Your level determines your validation requirements. And your validation requirements determine what you need to do to stay compliant and keep accepting cards.
If you’re processing fewer than 20,000 e-commerce transactions or under 1 million total transactions, you’re likely Level 4. Between 20,000 and 1 million e-commerce transactions puts you at Level 3. Between 1 million and 6 million total transactions means Level 2. Above 6 million, or if you’ve experienced a breach, you’re at Level 1.
Each level has specific requirements—from simple self-assessments to comprehensive third-party audits. Understanding where you fall helps you allocate the right resources, avoid unnecessary costs, and prevent the penalties that come with non-compliance.
If you’re operating in Maryland, Virginia, or the District of Columbia and need help determining your PCI level or meeting your compliance requirements, we can provide guidance tailored to your business and transaction volume.
Summary:
Share:
