Rules & Requirements —

Determining Your PCI DSS Compliance Level

PCI DSS levels depend on transaction volume, dictating whether you need a QSA-led ROC or a self-assessed SAQ.

Share this article

Contents

No headings found on page

Your organization’s PCI DSS compliance level determines how you validate compliance, whether through a formal ROC or a Self-Assessment Questionnaire (SAQ).

PCI DSS compliance levels are based primarily on annual transaction volume:

  • Level 1: Over 6 million transactions annually → Requires a ROC by a QSA

  • Level 2: 1 to 6 million transactions annually → Typically requires an SAQ, may require ROC depending on acquirer requirements

  • Level 3: 20,000 to 1 million e-commerce transactions annually → SAQ

  • Level 4: Fewer than 20,000 e-commerce or up to 1 million total transactions annually → SAQ

Knowing your level is critical—it informs the scope of your compliance project and the validation method required.

In the Spotlight

Start your PCI DSS compliance journey with DSALTA's complete checklist.

The Payment Card Industry Data Security Standard (PCI DSS) protects cardholder information and prevents payment fraud. For any business that processes, stores, or transmits credit card data, compliance is mandatory.

While PCI DSS may seem daunting, DSALTA® makes it easier. With automated evidence collection, real-time monitoring, and AI-driven insights, you can stay compliant without the heavy manual workload. Use this checklist to guide your PCI DSS journey.

Read more about PCI DSS compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.