Before you can complete your PCI DSS compliance requirements, it’s essential to know your merchant level. This classification determines whether your organization must complete a Self-Assessment Questionnaire (SAQ) or undergo a full onsite assessment by a Qualified Security Assessor (QSA).
Understanding your level is a critical first step—and Backbone Security, through our 1 Stop PCI Scan service, is here to help.
Merchant levels are defined by each card brand (Visa, Mastercard, American Express, Discover, JCB) based on the number of transactions you process annually, not the dollar amount. These counts are per card brand, not cumulative.
Your level determines:
Whether you can complete a Self-Assessment Questionnaire (SAQ)
Whether you require a Report on Compliance (ROC)
Whether additional security validation (like ASV scanning) is required
| Validation Type | Who Requires It? |
|---|---|
| Self-Assessment Questionnaire (SAQ) | Merchants at Level 2, 3, or 4 (depending on processing methods and acquirer requirements) |
| Report on Compliance (ROC) | Required for Level 1 merchants and sometimes Level 2 |
| ASV Vulnerability Scanning | Required for all levels that handle internet-facing systems or cardholder data |
➡️ Note for Level 2 Merchants: If opting to use an SAQ rather than a ROC, many card brands now require the person completing the SAQ to be trained and qualified as a PCI SSC Internal Security Assessor (ISA).
Backbone Security is an Approved Scanning Vendor (ASV), authorized to perform external vulnerability scans for all merchant levels across all card brands. Whether you’re a Level 1 enterprise or a Level 4 small business, 1 Stop PCI Scan delivers the tools and support you need to stay compliant.
| Level | Annual Transactions | Validation Requirements |
|---|---|---|
| Level 1 | Over 6 million Visa transactions | ROC by QSA + Quarterly ASV scans |
| Level 2 | 1 to 6 million Visa transactions | SAQ (must be completed by ISA if not using ROC) + Quarterly ASV scans |
| Level 3 | 20,000 to 1 million Visa e-commerce transactions | SAQ + Quarterly ASV scans |
| Level 4 | Fewer than 20,000 e-commerce or up to 1 million total Visa transactions | SAQ + ASV scans as required by acquirer |
| Level | Annual Transactions | Validation Requirements |
|---|---|---|
| Level 1 | Over 6 million Mastercard transactions | ROC by QSA + Quarterly ASV scans |
| Level 2 | 1 to 6 million Mastercard transactions | SAQ (ISA strongly recommended) or ROC + Quarterly ASV scans |
| Level 3 | 20,000 to 1 million Mastercard e-commerce transactions | SAQ + Quarterly ASV scans |
| Level 4 | Fewer than 20,000 e-commerce or up to 1 million total Mastercard transactions | SAQ + ASV scans as required by acquirer |
| Level | Annual Transactions | Validation Requirements |
|---|---|---|
| Level 1 | Over 2.5 million Amex transactions | ROC by QSA or internal audit (if approved) + Quarterly ASV scans |
| Level 2 | 50,000 to 2.5 million Amex transactions | SAQ + Quarterly ASV scans |
| Level 3 | Fewer than 50,000 Amex transactions | SAQ (ASV scans recommended) |
| Level | Annual Transactions | Validation Requirements |
|---|---|---|
| Level 1 | Over 6 million Discover transactions | ROC by QSA + Quarterly ASV scans |
| Level 2–4 | Less than 6 million Discover transactions | SAQ + Quarterly ASV scans (as required) |
| Level | Annual Transactions | Validation Requirements |
|---|---|---|
| Level 1 | Over 1 million JCB transactions | ROC by QSA + Quarterly ASV scans |
| Level 2 | 150,000 to 1 million JCB transactions | SAQ or ROC + Quarterly ASV scans |
| Level 3 | Fewer than 150,000 JCB transactions | SAQ (ASV scans recommended) |
1 Stop PCI Scan – A Division of Backbone Security, Inc.