PCI DSS compliance is not one-size-fits-all. The card networks—primarily Visa and Mastercard—have defined a tiered system of compliance levels based on transaction volume. Each level has different validation requirements, different costs, and different assessment methods. A large national retailer will have far more stringent validation obligations than a small e-commerce store. Understanding which level applies to your organization is essential, because it determines your validation pathway, your assessment costs, and your ongoing compliance burden.
The Four Merchant Levels
Merchant levels are defined by annual transaction volume across all payment channels combined. The transaction volume is counted across every channel the merchant uses: card-present (brick-and-mortar point of sale), card-not-present (e-commerce), mail order, telephone order, or any other channel accepting card payments. If a merchant processes 5 million in-store transactions and 2 million e-commerce transactions, the total is 7 million, placing it in Level 1 despite the e-commerce volume being below Level 1 thresholds.
| Level | Visa/MC Annual Transactions | Validation Requirement | Frequency |
|---|---|---|---|
| Level 1 | Over 6 million (Visa) / Over 6 million (MC) | Annual on-site QSA assessment (ROC) or Internal Security Assessor (ISA) | Annual |
| Level 2 | 1–6 million (Visa/MC) | Annual SAQ + quarterly ASV scan | Annual SAQ, Quarterly scan |
| Level 3 | 20,000–1 million e-commerce (Visa) / 20,000–6 million (MC) | Annual SAQ + quarterly ASV scan | Annual SAQ, Quarterly scan |
| Level 4 | Fewer than 20,000 e-commerce or up to 1 million other (Visa) | Annual SAQ + quarterly ASV scan (recommended) | Annual SAQ recommended |
Level 1 is the most stringent. These merchants must undergo a full on-site assessment by a QSA (Qualified Security Assessor), with the QSA physically visiting the merchant's facilities, testing systems, reviewing evidence, and producing a formal Report on Compliance (ROC). Alternatively, Level 1 merchants may use an Internal Security Assessor (ISA)—an internal employee trained and approved by the PCI SSC—to conduct annual assessments, though this is less common.
Levels 2, 3, and 4 use Self-Assessment Questionnaires (SAQs) instead of on-site assessments. SAQs are detailed questionnaires that merchants complete annually, documenting their compliance with PCI DSS requirements. The length and complexity of the SAQ depends on the merchant's payment acceptance model (discussed below). All merchants at Levels 2, 3, and 4 must also undergo quarterly external vulnerability scans performed by an Approved Scanning Vendor (ASV)—a third-party firm authorized by the card networks to conduct vulnerability scanning.
| KEY IDEA | Level determination is based on transaction volume across all channels — not just card-present or just card-not-present. A merchant that processes 500,000 in-store and 600,000 online is a Level 1 merchant. Card networks also have the right to upgrade a merchant's level following a data breach, regardless of volume. |
The Two Service Provider Levels
Service providers are held to higher standards than merchants, because they process cardholder data on behalf of multiple merchants. A breach at a service provider can cascade and expose cardholder data belonging to thousands of merchants. For this reason, the transaction thresholds for service provider levels are lower than for merchant levels.
| Level | Annual Transactions | Validation Requirement |
|---|---|---|
| Level 1 SP | Over 300,000 card transactions processed annually (Visa) | Annual ROC by QSA + quarterly ASV scans |
| Level 2 SP | Up to 300,000 card transactions (Visa) | Annual SAQ D-SP + quarterly ASV scans |
Level 1 service providers must undergo annual on-site QSA assessments (ROC), the same as Level 1 merchants. The only real difference is that the transaction threshold is significantly lower (300,000 for SPs vs. 6 million for merchants). Level 2 service providers complete a detailed SAQ (SAQ D-SP) annually and undergo quarterly ASV scanning. The SAQ D-SP is particularly comprehensive, covering all 12 PCI DSS requirements and typically containing over 300 detailed questions.
| IMPORTANT | Service providers are held to stricter standards than merchants at equivalent volumes. A service provider that processes card data on behalf of multiple merchants amplifies breach risk across all of them — which is why card networks require more rigorous validation at lower transaction thresholds. |
Self-Assessment Questionnaires (SAQ Types)
Organizations not required to undergo a full ROC assessment use Self-Assessment Questionnaires (SAQs). There are nine different SAQ types, each designed for a specific payment acceptance model. The type of SAQ a merchant completes depends on their payment technology, how they accept cards, where card data is stored or processed, and how their systems are connected.
| SAQ Type | For Organizations That... | Approximate Size |
|---|---|---|
| SAQ A | Accept card-not-present payments through a fully hosted third-party payment page; never handle card data electronically | Short — ~20 questions |
| SAQ A-EP | E-commerce merchants with a payment page partially hosted by a third party but with website scripts that affect card data security | Medium — ~190 questions |
| SAQ B | Use only imprint machines or standalone dial-out terminals; no electronic card data storage | Short — ~40 questions |
| SAQ B-IP | Use standalone IP-connected POI terminals with no electronic card data storage | Medium — ~80 questions |
| SAQ C | Payment applications connected to the internet; no electronic card data storage | Medium — ~160 questions |
| SAQ C-VT | Use a virtual terminal on an isolated computer for card-not-present transactions | Short — ~65 questions |
| SAQ D (Merchant) | All other merchants, plus merchants with electronic card data storage | Full — ~340 questions |
| SAQ D (SP) | Service providers eligible for SAQ | Full — ~340+ questions |
| SAQ P2PE | Use a validated P2PE solution with no access to clear-text CHD | Short — ~35 questions |
SAQ A is the shortest and simplest, available only to merchants using fully hosted payment pages where card data never touches the merchant's systems. SAQ D is the most comprehensive and applies to merchants that store, process, or transmit cardholder data directly. SAQ P2PE is a special category for merchants using validated point-to-point encryption solutions.
A critical point: the SAQ type is not the same as the merchant level. A Level 1 merchant completes a ROC, not an SAQ. But a Level 2 or Level 3 merchant might complete SAQ A, SAQ D, or any other SAQ depending on their payment processing model. Understanding your SAQ type is part of defining your scope and your validation pathway.
How Visa, Mastercard, and GPN Differ in Indonesia
Visa and Mastercard program rules are the international standard, and Indonesian merchants and payment service providers that accept international cards must comply with Visa and Mastercard requirements. These programs define the merchant levels, transaction thresholds, and validation methods described above.
Bank Indonesia's Gerbang Pembayaran Nasional (GPN) is Indonesia's national payment gateway, handling domestic payment transactions between Indonesian banks and merchants. GPN transactions are subject to Bank Indonesia security standards but may have slightly different compliance requirements than international card networks. For merchants and PSPs processing both GPN domestic transactions and international Visa/Mastercard transactions, the approach is to align with the more stringent requirements (Visa/Mastercard) to ensure comprehensive coverage.
| Indonesian merchants processing both GPN domestic transactions and international Visa/Mastercard transactions should prioritize alignment with Visa/Mastercard level requirements, as these are the more stringent standard. GPN compliance requirements are still evolving and typically align with or defer to PCI DSS for security controls. |
Moving Up a Level — What Triggers Reclassification
Merchant levels are not static. Several factors can trigger a reclassification to a higher level. The most obvious is exceeding transaction volume thresholds—if a Level 3 merchant increases transaction volume to exceed Level 2 thresholds, they move to Level 2. Card networks also have the right to reclassify merchants based on risk factors: a data breach, suspicious activity, or a history of non-compliance can trigger forced reclassification to a higher (more stringent) level.
Post-breach reclassification is common. After a merchant experiences a breach, the acquiring bank and card networks typically upgrade them to Level 1 status, requiring an annual on-site QSA assessment. This reclassification remains in effect for a defined period (typically 3-5 years) as a risk management measure. The cost and burden of a Level 1 ROC assessment—$10,000 to $50,000+—are often sufficient motivation for merchants to invest heavily in post-breach remediation and risk reduction.
Practical Path for Indonesian Organizations
Most Indonesian fintech startups, e-commerce platforms, and small payment companies begin at Level 4 or Level 3, validating with SAQ A, SAQ C, or SAQ D depending on their payment acceptance model and architecture. As transaction volumes grow over 1-3 years, they may advance to Level 2, eventually reaching Level 1 once they exceed 6 million annual transactions. The journey from startup (Level 4, SAQ A) to national payment processor (Level 1, annual ROC) typically takes 3–5 years of sustained growth and requires corresponding investments in security infrastructure, documentation, and compliance program maturity.