What is PCI Compliance Level 2?

Published July 1, 2019 • 2 min read

Payment Card Industry Data Security Standard (PCI DSS) Level 2 merchants are those that process between 1 and 6 million Visa, Mastercard, and Discover transactions per year; 50,000 to 2 million sales using American Express, and fewer than 1 million JCB International credit card transactions. 

Service providers–entities that process credit card payments for merchants and their financial institutions (also known as “acquiring banks”) or that handle card and cardholder data in some other capacity, such as data destruction–qualify as PCI Compliance Level 2 if they process, store, or transmit fewer than 300,000 total card transactions annually.

If your enterprise qualifies as merchant Level 2 or service provider Level 2, it won’t need a yearly onsite audit by a Qualified Security Assessor or resulting Report on Compliance to demonstrate PCI DSS compliance. Only level 1 entities need the audit.

Instead, merchants in levels 2, 3, and 4 may submit a completed Self-Assessment Questionnaire to the PCI Security Standards Council (PCI SSC) and perform a few other tasks before making an Attestation of Compliance. However, with as many as 281 requirements to address and other required tasks to complete, becoming PCI compliant can take Level 2 entities a full year or more.


What is PCI DSS?

The payment card industry—in particular, credit card brands Visa, Mastercard, American Express, Discover, and JCB—leads the Security Standards Council. It developed the PCI DSS framework in 2004 to ensure the security of credit card data and cardholder data, in particular e-commerce transactions.

Recognizing that different organizations have different security risks, however, the council established four merchant levels and two service provider levels. Level 1 is the most stringent, for entities processing 6 million or more credit card transactions per year (as well as those that have suffered a data breach) and service providers handling more than 300,000 payment card transactions annually.


Are you Level 2?

Merchant Level 2 generally applies to merchants processing, storing, or transmitting 1 million or more transactions (up to 6 million) per year. That’s the PCI DSS standard. But the major credit cards also have their own designated merchant levels, so your organization’s designation depends partly on which cards it accepts.

Filling out and submitting a Self-Assessment Questionnaire—a lengthy process in itself with as many as 281 requirements to address—is one of several tasks those in PCI compliance Level 2 must complete before completing their Attestation of Compliance.

The PCI DSS compliance criteria and requirements for merchant and service provider Level 2 are:



  • Process 1 million to 6 million Mastercard, Discover, or Visa transactions per year
  • Process 50,000 to 2.5 million American Express transactions annually
  • Process fewer than 1 million JCB transactions annually

Validation Requirements:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by PCI SSC-Approved Scan Vendor
  • Attestation of Compliance Form

Service providers


  • Process, store, or transmit fewer than 300,000 credit card transactions per year

Validation requirements:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by an Approved Scan Vendor
  • Penetration test
  • Internal scan
  • Attestation of Compliance Form

Service providers that qualify as Level 2 may be asked by partners, clients, or other business partners to validate their PCI DSS compliance with an onsite audit by a Qualified Security Assessor or Internal Security Assessor and meet other, more stringent, Level 1 criteria. Also, they may opt to validate as a Level 1 provider to be included on Visa’s Global Registry of Approved Service Providers.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo