Who is required to do Level 1 PCI compliance?

Any merchant processing more than 6 million card transactions per year across all channels under Visa or Mastercard, or 2.5 million American Express transactions per year, or 6 million Discover transactions per year. Additionally, any merchant designated Level 1 by a card brand at their discretion, and any merchant that has suffered a confirmed data breach involving cardholder data (regardless of transaction volume). The breach-induced Level 1 designation applies for at least one full ROC cycle following the breach.

Does a breach automatically push me to Level 1 PCI?

Yes for the affected card brands. A confirmed compromise of cardholder data triggers a Level 1 designation by Visa, Mastercard, and the other affected card brands regardless of the merchant's pre-breach transaction volume. The Level 1 designation typically applies for at least the next ROC cycle (12 months) and can extend longer if the card brands judge the security posture warrants continued scrutiny. The breach-induced Level 1 status is one of the most significant cost shocks in the PCI world: a merchant who was paying $5,000 a year as Level 4 suddenly faces a $100,000+ Level 1 ROC.

How long does a first-time Level 1 PCI ROC take?

Six to twelve months end to end for a typical commercial Level 1 first-time engagement. The phases: scoping and CDE inventory (4 to 8 weeks), evidence collection and remediation prep (6 to 12 weeks), on-site fieldwork (2 to 4 weeks across one or more locations), report drafting (4 to 8 weeks), remediation rounds and re-testing (4 to 12 weeks), and ROC sign-off and Attestation of Compliance issuance. Add another 4 to 8 weeks for first-time scoping conversations where the CDE boundary requires significant clarification.

Do I have to use a QSA for Level 1?

Yes, with one narrow exception. Level 1 merchants must engage a PCI Qualified Security Assessor for the annual ROC. The exception: organisations that train an internal employee as a PCI Internal Security Assessor (ISA) can have the ISA conduct the annual assessment instead of an external QSA, subject to PCI SSC training certification and acquirer approval. ISA training costs $3,000 to $5,000 per employee plus ongoing annual training requirements. For large Level 1 enterprises with mature security functions, the ISA path can save $50,000+ per year in QSA fees.

What is the cheapest legitimate Level 1 ROC?

Approximately $50,000 to $70,000 for an extremely compact Level 1 engagement: single-region cloud CDE, e-commerce or SaaS only, hosted-payment-page integration so cardholder data flow is minimal, single QSA firm covering ROC and pen tests bundled, no complex network segmentation. SecurityMetrics and the boutique QSA tier (Linford and Co, Insight Assurance) price compact Level 1 ROC work in this range. For anything more complex (multi-region, multi-channel, custom payment integration), the floor moves to $80,000 to $120,000.

Why are Level 1 enterprise ROCs so expensive?

Three drivers. First, scope size: enterprise Level 1 ROCs cover hundreds or thousands of in-scope systems across multiple regions, each requiring evidence collection and control validation. Second, fieldwork volume: enterprise engagements use 4 to 8 named assessors with 4 to 8 weeks of on-site testing across multiple locations, which multiplies fee proportionally. Third, complexity premium: the upper band ($300,000 to $500,000+) reflects scope unique to global multi-site enterprises (hospitality chains, airlines, multinational retailers) where the ROC narrative itself becomes a multi-hundred-page document requiring senior reviewer hours.

Cost by level

Level 1 PCI compliance cost 2026: full ROC pricing read

Level 1 is the only PCI tier where a QSA-led Report on Compliance is genuinely mandatory across all card brands. Year-one cost ranges from $50,000 for a compact single-region SaaS Level 1 to $500,000+ for a global multi-site enterprise, and the gap between those two numbers is almost entirely scope rather than vendor choice.

Updated April 2026

Year 1 total

$50k - $500k+

Compact single-region to global enterprise

Volume threshold

6M+ tx/yr

Visa, Mastercard, Discover; AmEx threshold is 2.5M

QSA required

Yes (QSA or trained internal ISA)

What defines Level 1 PCI across all card brands

Level 1 designation thresholds are set per card brand and differ slightly. Visa and Mastercard set the bar at 6 million card transactions per year across all channels. Discover sets it at 6 million transactions. American Express sets it at 2.5 million transactions per year and additionally allows itself to designate any AmEx merchant Level 1 at AmEx's discretion. JCB designates any merchant processing 1 million or more JCB transactions per year as Level 1.

Any merchant exceeding the threshold for any one card brand is Level 1 for that brand specifically, which in practice means a merchant exceeding any single threshold is Level 1 for the whole compliance programme. Additionally, any merchant suffering a confirmed cardholder data compromise is treated as Level 1 by the affected card brands regardless of transaction volume, typically for at least the next ROC cycle. This breach-induced Level 1 designation is one of the most significant cost shocks in the PCI world and is a recurring driver of urgent ROC engagements.

The official PCI SSC PCI DSS v4.0 document library contains the formal merchant level definitions in the Reporting Guide. Acquiring banks publish their interpretation of these thresholds, and there is sometimes minor variation in how aggressively an acquirer applies the upgrade trigger for borderline merchants. Confirm your designation in writing with your acquirer before budgeting; the cost step between Level 2 and Level 1 is steep.

Full Level 1 cost decomposition

Line item	Year 1 range	Renewal range
QSA ROC assessment fee	$40k - $200k	$25k - $120k
External penetration test	$10k - $40k	$10k - $40k (annual)
Internal penetration test	$10k - $30k	$10k - $30k (annual)
Segmentation validation	$5k - $15k	$5k - $15k (every 6 months)
ASV quarterly scanning	$1.5k - $10k	$1.5k - $10k (annual)
Tooling and continuous monitoring	$10k - $50k	$10k - $50k (annual)
Year 1 remediation (one-off)	$20k - $150k+	$2k - $30k (residual)

Anchored to the Verizon Payment Security Report compliance maintenance data, public Coalfire and A-LIGN customer disclosures, and Vendr aggregated buyer data. Year-one remediation is the most variable line item and depends heavily on pre-engagement security maturity.

Three concrete Level 1 scenarios

Scenario one. A SaaS payment processor with 8 million transactions per year, single-region AWS deployment, single cardholder data environment, hosted-checkout integration with all cardholder data flowing through a PCI Level 1 payment gateway (Stripe, Adyen, Braintree). Year-one total: $80,000 to $130,000. QSA fee dominates ($50,000 to $80,000), with bundled pen testing through the same QSA at $20,000 to $30,000 and ASV plus tooling rounding out. Renewal years drop to $50,000 to $80,000.

Scenario two. A mid-cap e-commerce retailer with 15 million transactions per year, custom checkout integration with Stripe Elements requiring SAQ A-EP-equivalent controls under Req 6.4.3 script management, multi-region cloud CDE across AWS US-East and US-West, payment-page script monitoring tooling already deployed. Year-one total: $150,000 to $220,000. QSA fee $90,000 to $140,000, separate external and internal pen testing $40,000 to $60,000, segmentation validation $10,000, ASV plus tooling $15,000 to $25,000, year-one remediation roughly $30,000.

Scenario three. A global hotel chain with 50 million transactions per year, hundreds of in-scope locations across multiple countries, on-property POS terminals with mixed P2PE and non-P2PE deployment, in-property card storage for booking adjustments and tip processing. Year-one total: $300,000 to $500,000+. QSA fee $150,000 to $250,000+ reflecting the multi-site fieldwork, multiple pen tests across regional environments $50,000 to $100,000, segmentation validation per region $15,000 to $30,000, enterprise-scale tooling $50,000 to $100,000, year-one remediation typically the largest line item at $50,000 to $150,000+ because pre-engagement security maturity at multi-site enterprises is consistently uneven across properties.

Level-1-specific cost levers

Three levers materially change Level 1 economics. First, scope reduction through tokenisation or hosted payment pages. Moving cardholder data flow out of the merchant's CDE through Stripe Checkout, Adyen Drop-in, or full tokenisation reduces the number of in-scope systems by 60 to 90 percent in many cases. The Level 1 ROC still happens, but the assessor's evidence collection effort drops dramatically, and the fee follows. This is the single highest-leverage cost lever at Level 1.

Second, the Internal Security Assessor path. Training one or two internal employees as PCI ISAs at $3,000 to $5,000 per certification, plus annual continuing education, can replace the QSA-led annual ROC for organisations with mature internal security functions. The annual saving for Level 1 enterprises is typically $50,000 to $150,000+ versus engaging an external QSA, though the up-front investment is meaningful and the ISA must remain organisationally independent of the systems they assess.

Third, the multi-framework bundle. For Level 1 organisations with combined PCI plus SOC 2 plus ISO 27001 obligations (typical of B2B SaaS and fintech), engaging a single named-firm QSA to handle all three frameworks (A-LIGN or Schellman are the most aggressive on this) saves 25 to 40 percent versus engaging separate firms. For Level 1 plus FedRAMP combined, Coalfire's bundle is the cheapest path.

Get the official PCI SSC Reporting Guide

The PCI SSC publishes the formal merchant level definitions, Reporting Instructions, and ROC template in the official document library.

PCI SSC document library →

Frequently asked

Level 1 PCI compliance runs $50,000 to $500,000+ in year one across all line items: QSA assessment fee ($40,000 to $200,000), external pen testing ($10,000 to $40,000), internal pen testing ($10,000 to $30,000), segmentation validation testing ($5,000 to $15,000), ASV scanning ($1,500 to $10,000), tooling and ongoing monitoring ($10,000 to $50,000), and remediation in year one ($20,000 to $150,000+). Renewals are typically 35 to 50 percent cheaper than the first ROC. The full Level 1 range is wide because scope variance is enormous between a single-region SaaS Level 1 and a global multi-site enterprise.

Level 2 PCI cost

$10k to $50k for 1M-6M transactions per year.

Level 3 PCI cost

$5k to $20k for 20k to 1M e-com transactions.

QSA assessment cost

The market-wide rate card.

Coalfire PCI cost

Federal-adjacent QSA premium for combined PCI + FedRAMP.

PCI penalties

What non-compliance and breaches cost.

2026 outlook

What changes in PCI cost this year.