What compliance frameworks does GRCTrack support?

GRCTrack supports 10 compliance frameworks: PCI DSS 4.0.1 (322 controls), ISO 27001:2022 (93 controls), SOC 2 Type II (64 controls), HIPAA Security (45 controls), GDPR 2016/679 (99 controls), NIST CSF 2.0 (106 controls), NIS2 Directive (21 controls), SWIFT CSP 2024 (32 controls), Cyber Essentials UK (5 controls), and CE Plus UK (5 controls).

How is GRCTrack different from Vanta, Drata, and Sprinto?

GRCTrack is the only compliance platform built by qualified security assessors (QSAs). It features 6 dedicated portals, 7 AI intelligence engines, 53 drag-and-drop dashboard widgets, 15 granular RBAC roles, 10 visual themes, 11 languages, and support for niche frameworks like SWIFT CSP, NIS2, and Cyber Essentials that no competitor covers. Starting at £999/year vs $6,000+ for alternatives.

What are the 7 AI intelligence engines?

Flo — conversational AI assistant; FloAva — contextual guidance alongside controls; Policy Copilot — AI policy document generation; Evidence Intelligence — automatic categorisation and framework mapping; Remediation Intelligence — prioritised ticket creation with Jira/ServiceNow integration; Architecture Intelligence — AI-powered network diagram generation; Human Risk Intelligence — employee risk scoring and behavioural analytics.

What are the 6 portals?

QSA Admin Portal for multi-client assessment management; Merchant Portal for self-service compliance; Acquirer Command Center for portfolio-wide visibility; Auditor Portal for assessment execution; Client Portal for stakeholder tracking; Partner Portal for MSSPs with white-label and revenue sharing.

Does GRCTrack include security awareness training?

Yes. GRCTrack includes a full Training & Awareness Governance module aligned to PCI DSS Requirement 12.6. Features include mandatory course assignment, interactive quizzes, certification tracking, policy acknowledgement with digital signatures, and one-click audit evidence export. It also includes AI phishing simulation with campaign scheduling, behavioural analytics, and automated remediation.

What is the CISO Command Centre?

The CISO Command Centre is an executive dashboard providing real-time visibility across human risk scores, training completion, policy governance, privileged user exposure, departmental risk heatmaps, and awareness maturity metrics — all in a single pane of glass designed for security leadership.

Can I customise dashboards and themes?

Yes. GRCTrack offers 53 drag-and-drop dashboard widgets with role-aware sizing. You can choose from 10 visual themes (Pearl, Arctic, Slate, Rosé, Obsidian, Midnight, Ember, Forest, Aurora, System) and configure white-label branding with custom logos, colours, and domains.

Is there a free trial?

Yes. All multi-framework plans include a free trial — no credit card required. SAQ-A plans include a 30-day money-back guarantee. Enterprise customers can schedule a personalised demo first.

Compliance Guide

PCI DSS Merchant Levels 1–4 Explained

Your PCI DSS merchant level determines how you must validate compliance — whether that means a full on-site QSA assessment or a self-assessment questionnaire. This guide explains the four merchant levels, how each payment brand defines them, what validation is required at each level, and what can cause your level to change.

Overview of the Four Merchant Levels

The PCI DSS standard itself does not define merchant levels. Instead, each payment brand (Visa, Mastercard, American Express, Discover, JCB) establishes its own merchant level classification based primarily on annual transaction volume. The levels determine the validation method a merchant must use to demonstrate compliance — not the security controls required. Every merchant, regardless of level, must comply with all applicable PCI DSS requirements. The difference is how compliance is verified and reported.

In practice, the industry has converged around four levels that are broadly consistent across payment brands, with important differences detailed in the sections below. The general framework, based on Visa's definitions (which are the most commonly referenced), is as follows:

Level 1

6+ million transactions/year

Annual ROC by QSA, quarterly ASV scans, annual penetration test

Level 2

1-6 million transactions/year

Annual SAQ (some brands require QSA involvement), quarterly ASV scans

Level 3

20,000-1 million e-commerce transactions/year

Annual SAQ, quarterly ASV scans

Level 4

Under 20,000 e-commerce or up to 1 million other transactions/year

Annual SAQ, ASV scans recommended (required by some acquirers)

Use the PCI Compliance Cost Calculator to estimate the total cost of compliance at your merchant level, including assessment fees, scanning costs, and technology investments.

Detailed Requirements by Level

Level 1: Over 6 Million Transactions Per Year

Level 1 is the most rigorous classification. It applies to the largest merchants and any merchant that has experienced a cardholder data breach, regardless of transaction volume. Level 1 validation requires:

Annual Report on Compliance (ROC) — A formal on-site assessment conducted by a PCI SSC-certified Qualified Security Assessor (QSA). The ROC is a comprehensive document (typically 200+ pages) that details testing procedures and results for every applicable PCI DSS requirement.
Quarterly ASV vulnerability scans — External vulnerability scans performed by an Approved Scanning Vendor, with passing results for each quarter.
Annual penetration test — Both internal and external penetration testing per an industry-accepted methodology, covering network-layer and application-layer testing of the CDE.
Attestation of Compliance (AOC) — Signed by both the QSA and the merchant, confirming that the assessment was completed and the merchant was found compliant.

The typical cost of a Level 1 ROC assessment ranges from $50,000 to $200,000 or more, depending on scope complexity, number of locations, and the QSA firm's rates. Preparation for a first-time Level 1 assessment can take six to twelve months. See the first assessment preparation guide for a detailed walkthrough.

Level 2: 1 to 6 Million Transactions Per Year

Level 2 merchants sit in a middle ground with validation requirements that vary significantly by payment brand. Most brands require an annual SAQ, but some (notably Visa in certain regions) may require QSA involvement for SAQ validation. Key requirements include:

Annual Self-Assessment Questionnaire (SAQ) — The specific SAQ type depends on your payment environment. Use the SAQ Decision Engine to determine which questionnaire applies.
Quarterly ASV scans — Required by all payment brands for Level 2 merchants.
Annual penetration test — Required by some brands and acquirers. Even if not explicitly required, it is strongly recommended and many acquirers mandate it.
Possible QSA validation — Visa requires Level 2 merchants to have their SAQ validated by a QSA or ISA (Internal Security Assessor). Mastercard may accept self-completed SAQs. Check with your acquirer for the specific requirement.

Level 2 represents the tier where organisations often have the most confusion about requirements, because each payment brand and acquirer may impose slightly different obligations. When in doubt, follow the most stringent requirement among your accepted brands.

Level 3: 20,000 to 1 Million E-Commerce Transactions Per Year

Level 3 is specifically scoped to e-commerce merchants. It applies to organisations processing between 20,000 and 1 million online card transactions annually. Note that this level counts only e-commerce transactions — card-present (in-store) transactions are not included in this threshold. Requirements include:

Annual SAQ — The SAQ type depends on your e-commerce payment integration: SAQ A for fully outsourced payment pages, SAQ A-EP for payment pages on your domain, or SAQ D for server-side processing.
Quarterly ASV scans — Required for all internet-facing systems.
Annual penetration test — Not universally required at Level 3 by all brands, but many acquirers mandate it. Check your acquirer's specific requirements.

E-commerce merchants at Level 3 should pay particular attention to PCI DSS v4.0.1 Requirements 6.4.3 (payment page script management) and 11.6.1 (payment page tamper detection), which became mandatory on March 31, 2025 and are especially relevant to online payment environments.

Level 4: Under 20,000 E-Commerce or Up to 1 Million Other Transactions

Level 4 is the lowest classification and applies to the vast majority of merchants. It covers merchants processing fewer than 20,000 e-commerce transactions per year, or up to 1 million total transactions annually across all channels. Although Level 4 has the lightest validation requirements, it is not an exemption from PCI DSS compliance. Requirements include:

Annual SAQ — The appropriate SAQ type based on your payment acceptance method. Many Level 4 merchants qualify for SAQ A (approximately 22 controls) if they fully outsource payment processing.
Quarterly ASV scans — Recommended by all brands and required by many acquirers, even though some payment brands do not explicitly mandate them at Level 4.
No QSA or penetration test requirement — Level 4 merchants typically do not need a QSA assessment or formal penetration test, though some acquirers may require them depending on risk factors.

Despite the lighter validation requirements, Level 4 merchants are disproportionately targeted in payment card breaches precisely because they tend to have weaker security controls. A breach at a Level 4 merchant can result in immediate reclassification to Level 1, with all the associated costs and requirements.

How Payment Brands Define Levels Differently

One of the most confusing aspects of PCI DSS merchant levels is that each payment brand uses slightly different transaction thresholds and validation requirements. You may be classified at different levels by different brands. Your acquirer determines which brand's programme applies, but if you accept multiple brands, you should comply with the most stringent requirements across all of them.

Visa

Visa's programme is the most commonly referenced and uses the four-level structure described above. Visa is notable for requiring Level 2 merchants to use a QSA or ISA for SAQ validation in most regions. Visa also maintains the authority to escalate any merchant to Level 1 at its discretion, regardless of transaction volume. Visa counts transactions across all payment channels (card-present, card-not-present, e-commerce) for Level 1 and Level 2 thresholds, but only e-commerce transactions for Level 3.

Mastercard

Mastercard's Site Data Protection (SDP) programme uses similar thresholds but with important differences. Mastercard's Level 1 threshold is also 6 million transactions, but Mastercard explicitly defines Level 2 as 1–6 million total transactions (all channels). Mastercard also classifies any merchant that has been breached as Level 1, and may designate merchants as Level 1 based on risk assessment regardless of volume. Mastercard generally accepts self-completed SAQs for Level 2 merchants without mandatory QSA involvement.

American Express

American Express uses a simplified three-level structure rather than four. Level 1 applies to merchants processing 2.5 million or more Amex transactions annually (a lower threshold than Visa and Mastercard). Level 2 covers 50,000 to 2.5 million Amex transactions. Level 3 covers fewer than 50,000 Amex transactions. Amex counts only American Express-branded transactions, not the total across all brands. This means you could be Level 4 with Visa but Level 2 with Amex if you process a high volume of Amex transactions.

Discover

Discover's Data Security Compliance (DISC) programme uses three levels similar to Amex. Level 1 applies to merchants processing 6 million or more Discover transactions annually. Level 2 covers 1–6 million. Level 3 covers fewer than 1 million. Discover requires Level 1 merchants to complete a ROC by a QSA and Level 2–3 merchants to complete an SAQ. Discover generally aligns with Visa's requirements but may impose additional obligations based on risk factors or breach history.

Practical Implications

Because of these differences, a single merchant can simultaneously be Level 2 with Visa, Level 2 with Mastercard, Level 1 with Amex, and Level 3 with Discover. When this occurs, the safest approach is to validate compliance at the highest (most stringent) level across all brands. Your acquirer can clarify which specific programme requirements you must satisfy, but defaulting to the most rigorous level protects you from compliance gaps.

What Triggers a Level Change

Merchant levels are not static. Several events can cause your classification to change, sometimes dramatically and with immediate effect. Understanding these triggers helps you plan for compliance requirements that may change year over year.

Transaction Volume Growth

The most common trigger is organic growth in transaction volume that crosses a level threshold. If you were processing 800,000 e-commerce transactions last year (Level 3) and this year you cross 1 million, you move to Level 2. Your acquirer monitors your transaction volume and will notify you of level changes, but you should proactively track your own volume and begin preparing for the next level's requirements before you cross the threshold. Moving from Level 2 to Level 1 is particularly impactful because it triggers a mandatory on-site QSA assessment.

Data Breach

A cardholder data breach immediately elevates you to Level 1, regardless of your current transaction volume. This is universally applied across all payment brands and is the most consequential trigger. Post-breach Level 1 requirements include: an immediate forensic investigation by a PCI Forensic Investigator (PFI), a full ROC assessment by a QSA, and potentially years of enhanced monitoring. The financial impact of a breach-triggered Level 1 classification typically dwarfs the cost of the breach itself, with forensic investigations costing $50,000–$500,000 and the subsequent ROC assessment adding another $50,000–$200,000.

Payment Brand Discretion

Every payment brand reserves the right to reclassify any merchant at a higher level based on risk assessment, even if the merchant's transaction volume does not warrant it. Factors that may trigger discretionary reclassification include: operating in a high-risk industry (adult entertainment, gambling, pharmaceuticals), consistently high chargeback rates, known security deficiencies, industry-wide threats targeting your sector, or geographic risk factors.

Acquirer Requirements

Your acquirer may impose stricter requirements than the payment brand minimums. Some acquirers require all their merchants to complete SAQs (even at Level 4 where some brands do not mandate them), require ASV scans for all merchants regardless of level, or mandate QSA involvement for Level 2 SAQ validation. Your acquirer's requirements are binding — treat them as additive to the card brand requirements.

Service Provider Levels

Service providers — organisations that store, process, or transmit cardholder data on behalf of other entities, or that manage CDE components for merchants — have a separate, simpler classification system with only two levels. Service provider levels carry stricter requirements than merchant levels because a compromised service provider can affect thousands of merchants simultaneously.

Service Provider Level 1

A service provider is classified as Level 1 if it stores, processes, or transmits more than 300,000 transactions annually (Visa threshold; Mastercard uses 300,000 as well). Level 1 service providers must:

Complete an annual ROC by a QSA — the same rigorous on-site assessment required for Level 1 merchants.
Conduct quarterly ASV scans and annual penetration testing.
Submit their AOC to each payment brand for listing on the brand's validated service provider registry (e.g., Visa's Global Registry of Service Providers).

Being listed on the Visa or Mastercard service provider registry is often a business requirement — merchants need to verify that their service providers are PCI compliant, and the registries are the primary mechanism for doing so.

Service Provider Level 2

Service providers processing fewer than 300,000 transactions annually are classified as Level 2. They must complete an annual SAQ D for Service Providers (SAQ D-SP), which covers all 12 PCI DSS requirements plus service provider-specific requirements. Quarterly ASV scans are also required. Some brands and acquirers may still require Level 2 service providers to undergo a QSA assessment, especially if they handle high-value or high-sensitivity data.

Merchant vs Service Provider Classification

Some organisations act as both merchants (accepting payments for their own goods/services) and service providers (handling cardholder data for other entities). In this case, the organisation must comply with requirements for both classifications. A SaaS company that accepts card payments for its subscriptions (merchant) and also processes payments on behalf of its customers (service provider) needs to assess against both programmes. This dual classification is common and increases compliance complexity.

How to Determine Your Actual Transaction Count

Accurately counting your transactions sounds straightforward, but there are important nuances that affect your level classification. Getting this wrong in either direction is problematic: undercounting may result in non-compliance, while overcounting may subject you to unnecessarily stringent and expensive validation requirements.

What Counts as a Transaction

A transaction is generally defined as a single payment card interaction — an authorisation, purchase, or credit. Refunds, voids, and chargebacks are typically not counted as separate transactions for level determination purposes, though this can vary by payment brand. A recurring monthly subscription charged to a card counts as one transaction per billing cycle (12 transactions per year per customer). Pre-authorisation and capture count as a single transaction if they relate to the same purchase.

Channel Aggregation

Most payment brands aggregate transactions across all channels (e-commerce, in-store POS, mail order, telephone order) for Level 1 and Level 2 thresholds. However, Level 3 specifically counts only e-commerce (card-not-present) transactions. If you process 500,000 in-store transactions and 15,000 e-commerce transactions, you are not Level 3 (the e-commerce count is below 20,000) — you would be evaluated at Level 4 for e-commerce and potentially Level 2 overall depending on total volume across all channels.

Multiple Merchant IDs

If your organisation operates under multiple Merchant IDs (MIDs), payment brands generally aggregate all MIDs under the same corporate entity for level determination. You cannot split transactions across multiple MIDs to stay under a level threshold. If your parent company processes 7 million transactions across three MIDs, the parent entity is Level 1 even if no single MID exceeds 6 million. However, if MIDs belong to genuinely separate legal entities, they may be classified independently — consult your acquirer.

Getting Your Official Count

The most reliable source for your transaction count is your acquirer's monthly or annual statements. Your payment processor can also provide transaction volume reports. Cross-reference these against your internal records (POS system reports, gateway dashboards) to ensure consistency. If there is a discrepancy between your records and your acquirer's, the acquirer's count takes precedence for level determination purposes.

For a comprehensive understanding of where you stand, use the PCI Compliance Cost Calculator to model your compliance costs based on your transaction volume, and the SAQ Decision Engine to determine the correct assessment type for your payment environment.

Know Your Level, Know Your Requirements

GRCTrack identifies your merchant level, determines the correct SAQ type, and guides you through every validation requirement — from Level 4 self-assessment to Level 1 QSA engagement.

Start Free Trial Book a Demo

Frequently Asked Questions

How do I know what PCI DSS level I am?

Your merchant level is determined by your annual card transaction volume. Level 1: 6M+ transactions, Level 2: 1-6M, Level 3: 20K-1M e-commerce, Level 4: under 20K e-commerce or up to 1M other. Your acquirer (acquiring bank) is the authoritative source for your level classification.

Do all PCI levels have the same security requirements?

Yes. All merchants must comply with all applicable PCI DSS requirements regardless of level. The levels only determine the validation method — how you prove compliance. Level 1 requires an on-site QSA assessment (ROC), while Levels 2-4 can typically self-assess using an SAQ. The security controls themselves are identical.

What happens if I have a data breach as a Level 4 merchant?

A cardholder data breach immediately elevates you to Level 1 regardless of transaction volume. This triggers a mandatory forensic investigation by a PCI Forensic Investigator (PFI), a full ROC assessment by a QSA, and potentially years of enhanced monitoring. The total cost typically ranges from $100,000 to $500,000+.

Can different payment brands classify me at different levels?

Yes. Each payment brand (Visa, Mastercard, Amex, Discover) defines levels independently. Amex uses a lower Level 1 threshold (2.5M transactions) than Visa (6M). You may be Level 2 with Visa but Level 1 with Amex. When classified at different levels, comply with the most stringent requirements across all brands.