PCI DSS
Rules & Requirements
Determining Your PCI DSS Compliance Level
PCI DSS levels depend on transaction volume, dictating whether you need a QSA-led ROC or a self-assessed SAQ.
Determining Your PCI DSS Compliance Level
Your organization’s PCI DSS compliance level determines how you validate compliance, whether through a formal ROC or a Self-Assessment Questionnaire (SAQ).
PCI DSS compliance levels are based primarily on annual transaction volume:
Level 1: Over 6 million transactions annually → Requires a ROC by a QSA
Level 2: 1 to 6 million transactions annually → Typically requires an SAQ, may require ROC depending on acquirer requirements
Level 3: 20,000 to 1 million e-commerce transactions annually → SAQ
Level 4: Fewer than 20,000 e-commerce or up to 1 million total transactions annually → SAQ
Knowing your level is critical—it informs the scope of your compliance project and the validation method required.
Read more about PCI DSS compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.