PCI DSS Requirements Merchant Level 2
All businesses that store, process, or transmit payment card transactions are required to become PCI DSS compliant. PCI DSS compliance is a set of standards that your business will need to follow to ensure that your security systems are watertight to reduce the risk of any cyber-attacks or data breaches.

Depending on the size and scale of your business, you will fall under one of the four following PCI DSS merchant levels:
- Level 1 covers merchants that process over 6 million card transactions a year.
- Level 2 covers merchants that process 1 million to 6 million transactions a year.
- Level 3 covers merchants that process 20,000 to 1 million transactions a year.
- Level 4 covers merchants that process fewer than 20,000 transactions a year.
Everything your business needs to know about adhering to PCI DSS Level 2 requirements is explained below.
{{snapshot}}
Level 2 in brief
- Level 2 = merchants processing 1 to 6 million card transactions a year.
- American Express uses a 50,000–2.5 million band; JCB caps at under 1 million.
- Cross six million transactions and you move up to Level 1.
{{/snapshot}}
What is PCI DSS Level 2?
If your business processes, stores, or transmits between one and six million card transactions per year, you would be classified as a PCI DSS Level 2 merchant.
However. It’s worth acknowledging that different card providers have different conditions for businesses aiming to qualify as PCI- DSS Level 2 merchants. These are:
| Card brand | Merchant threshold (annual) | Service provider threshold (annual) |
|---|---|---|
| VISA, Mastercard, Discover | 1 to 6 million | Fewer than 300,000 |
| American Express | 50,000 to 2.5 million | Fewer than 300,000 |
| JCB | Fewer than 1 million | Fewer than 300,000 |
If your annual transactions were ever to exceed six million, you would need to follow PCI DSS Level 1 requirements
How do merchants become PCI DSS Level 2 compliant?
A business aiming for PCI DSS Level 2 compliance should first complete PCI DSS Self-Assessment Questionnaire (SAQ). This is a PCI Security Standards Council (SSC) approved form that asks a business to self-assess its current security measures and the strength of these.
If your business is on the verge of meeting PCI DSS Level 1 requirements, you may also need to complete an Annual Report on Compliance (ROC) prepared by a Qualified Security Auditor (QSA). This is only the case if you are nearing the maximum of six million transactions annually.
During an ROC, your QSA will need to assess your point-of-sale (POS) system to review all potential vulnerabilities. This will result in a priority list of actions your business will need to take to ensure all security issues are tackled.
Following an ROC, you will need to continuously monitor and maintain any newly implemented security protocols to reduce the risk of a breach.
Your business will also need to have quarterly network scanning undertaken by an Approved Scan Vendor (ASV), as well as regular penetration testing and internal scanning, to remain PCI DSS Level 2 compliant.
{{snapshot}}
What Level 2 compliance requires
- Start with a PCI DSS Self-Assessment Questionnaire (SAQ) from the PCI SSC.
- Near six million transactions, add an Annual Report on Compliance (ROC) by a QSA, who reviews your POS system.
- Run quarterly ASV network scans plus penetration testing and internal scanning.
- Continuously monitor and maintain new controls after an ROC.
{{/snapshot}}
Do service providers have to follow PCI DSS Level 2 requirements?
Service providers are often chosen by merchants to work as third-party payment processors during transactions. These usually either offer internet services or act ask the receiving bank. As they are also involved in handling vulnerable cardholder data, service providers must also ensure they are PCI DSS compliant.
If a service provider stores, processes, or transmits fewer than 300,000 payment card transactions each year, they will have to follow the below PCI DSS Level 2 requirements:
- An annual SAQ
- An ROC prepared by a QSA
- A quarterly network scan by an ASV
- Regular penetration testing
- Regular internal scanning
- An Attestation of Compliance Form
Why should my business be PCI DSS Level 2 compliant?
It’s important to consider the benefits that being PCI DSS Level 1 compliant offers. Your business will appear more trustworthy when negotiating with banks and stakeholders, who tend to actively seek out PCI DSS compliance in partners. This will also reflect well on your clients and customers, who will ultimately have more confidence when making a transaction with your business.
Your cyber defence will also be strengthened overall thanks to the increased measures. This reduces the risk of data breaches significantly, which will save your business from having to recover from expensive fines and any reputational damage.
{{snapshot}}
What Hicomply recommends
Level 2 is where the workload steps up: an SAQ, quarterly ASV scans and, if you are near the six-million ceiling, a full ROC. The merchants who cope best are the ones already running Level 1-style discipline before they need it, so an upgrade is a formality rather than a fire drill. Keep your evidence continuous with our free compliance tools.
{{/snapshot}}
Become PCI DSS Level 2 compliant with Hicomply
PCI DSS compliance can be a long and arduous procedure, especially if your business is new to the process. This is why Hicomply is dedicated to helping businesses make compliance simpler than ever.
Our ISMS solution organises your documents, keeping them all in one place, so you can stay on top of everything with ease. If you’re looking for compliance as you work, contact us for a demo today.
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.



