Skip to Content

Site data protection merchant levels

Category Criteria Requirements
Level 1
  • Any merchant that has suffered a hack or an attack that resulted in an Account Data Compromise (ADC) Event
  • Any merchant having more than six million total combined Mastercard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that Mastercard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
  • Annual PCI DSS assessment resulting in the completion of a Report on Compliance (ROC)1
Level 2
  • Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa
  • Annual Self-Assessment Questionnaire (SAQ)2
Level 3
  • Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa
  • Annual Self-Assessment Questionnaire (SAQ)3
Level 4
  • All other merchants4
  • Annual Self-Assessment Questionnaire (SAQ)3
  1. Level 1 merchants must undergo an annual PCI DSS assessment resulting in the completion of a ROC conducted by a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC-certified Internal Security Assessor (ISA).
  2. Level 2 merchants completing SAQ A, SAQ A-EP or SAQ D must additionally engage a PCI SSC-approved QSA or PCI SSC-certified ISA for compliance validation. Level 2 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA or PCI SSC-certified ISA to complete a ROC instead of performing an SAQ.
  3. Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA to complete a ROC instead of performing an SAQ.
  4. Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required.