Do I need a QSA for Level 2 PCI?

Usually no, sometimes yes. Most Level 2 merchants self-assess via SAQ D and submit through the acquiring bank. Some acquirers (notably some bank-owned acquirers and regional processors) require Level 2 merchants to engage a PCI QSA for an annual on-site assessment instead of self-assessment. The acquirer's risk team makes this call, typically based on industry sector, historical chargeback rates, breach history, or processing pattern. Confirm in writing with your acquirer before budgeting; the cost step from SAQ D ($10,000 to $20,000) to QSA-led assessment ($40,000 to $80,000) is significant.

What volume defines Level 2 PCI?

Visa and Mastercard set Level 2 as 1 million to 6 million card transactions per year across all channels. Discover uses the same range. American Express sets Level 2 at 50,000 to 2.5 million AmEx-only transactions per year. JCB Level 2 covers any merchant below 1 million JCB transactions. Most multi-channel merchants land in the Visa or Mastercard definition first because card-brand distribution typically favours those two.

What is SAQ D for Level 2 merchants?

SAQ D is the comprehensive Self-Assessment Questionnaire covering all 12 PCI DSS requirements at full depth (329 controls for SAQ D-Merchant, 347 for SAQ D-Service Provider). It is the default SAQ for Level 2 merchants whose payment environment does not qualify for a simpler SAQ type. Completion typically takes 2 to 4 months of internal effort plus consultant assist; total cost for the SAQ D engagement runs $5,000 to $20,000 depending on internal capability and consultant involvement.

Can a Level 2 merchant use SAQ A?

Yes if the payment integration qualifies. The SAQ type is determined by the payment integration pattern (hosted checkout, P2PE terminal, custom integration) rather than by merchant level. A Level 2 merchant on Stripe Checkout or PayPal hosted payment qualifies for SAQ A (22 controls) regardless of transaction volume. The 22-control SAQ A costs $300 to $1,000 to complete versus $5,000 to $20,000 for SAQ D. For Level 2 merchants who can migrate to a hosted checkout, this is often the single highest-leverage cost reduction available.

How long does Level 2 PCI compliance take?

Three to six months end to end for first-time SAQ D engagement: scoping and SAQ-type confirmation (2 to 4 weeks), evidence collection and gap identification (4 to 8 weeks), remediation of identified gaps (4 to 16 weeks depending on severity), SAQ completion and consultant review (2 to 4 weeks), and acquirer submission (1 to 2 weeks). For Level 2 merchants pushed to QSA assessment by their acquirer, add 1 to 3 additional months for the on-site fieldwork and ROC drafting.

What pushes a Level 2 merchant up to Level 1?

Three triggers. First, transaction growth crossing the 6 million annual threshold for Visa or Mastercard pushes the merchant to Level 1 designation for the next ROC cycle. Second, a confirmed cardholder data breach triggers immediate Level 1 designation by the affected card brands regardless of volume. Third, acquirer or card brand discretion: a Level 2 merchant with poor compliance history, high chargeback rates, or industry-sector risk concerns can be designated Level 1 at the acquirer's or card brand's discretion. The volume-driven trigger is the most common path; the breach-driven trigger is the most expensive.

Cost by level

Level 2 PCI compliance cost 2026: SAQ or QSA pricing read

Level 2 is the most interesting PCI tier from a cost perspective because the acquirer-discretion call matters most here. Roughly 80 percent of Level 2 merchants self-assess via SAQ D at $10,000 to $30,000 per year; the rest are pushed to QSA-led assessment by their acquirer at $40,000 to $80,000 per year. Confirm the path before budgeting.

Updated April 2026

SAQ D path total

$10k - $50k

If acquirer accepts SAQ D self-assessment

QSA-led path total

$40k - $80k

If acquirer requires QSA assessment

Volume threshold

1M - 6M tx/yr

Visa, Mastercard, Discover (AmEx differs)

The Level 2 SAQ vs QSA decision

PCI DSS does not require Level 2 merchants to engage a QSA. The card brand programmes allow Level 2 merchants to self-assess via the appropriate Self-Assessment Questionnaire. However, the acquiring bank has contractual authority over its merchant book and can require any merchant, including Level 2, to engage a QSA for an annual on-site assessment. Acquirers exercise this discretion based on industry risk, breach history, chargeback rates, and processing pattern.

The cost differential is roughly 3 to 5x. SAQ D self-assessment with consultant assist runs $5,000 to $20,000. QSA-led assessment at Level 2 scope runs $35,000 to $70,000 for the compact band where ControlScan, SecurityMetrics, or boutique-tier QSAs compete, or $60,000 to $90,000 if the acquirer specifies a named-firm tier QSA (Coalfire, A-LIGN, Schellman, Trustwave). Before budgeting, get the acquirer's required path in writing.

The conversation with the acquirer is worth having proactively. Some acquirers are willing to accept SAQ D in place of QSA if the merchant demonstrates strong security posture (clean breach history, low chargeback rates, mature security program documentation). The cost of the conversation is one hour with the acquirer's risk team; the savings can be $30,000+ per year.

Full Level 2 cost decomposition (SAQ D path)

Line item	Year 1 range	Recurring
SAQ D self-assessment (with consultant assist)	$5k - $20k	$3k - $12k annual
ASV quarterly scanning	$400 - $3,200	$400 - $3,200 annual
Annual external penetration test	$5k - $20k	$5k - $20k annual
Tooling and continuous monitoring	$3k - $15k	$3k - $15k annual
Year 1 remediation (one-off)	$3k - $30k	$1k - $5k residual

Anchored to Vendr aggregated buyer data and the Verizon Payment Security Report compliance maintenance figures. The QSA-led path adds $30,000 to $60,000 to the year-one total versus the SAQ D path.

Three concrete Level 2 scenarios

Scenario one. A B2B SaaS subscription business with 2 million transactions per year, single-region AWS deployment, Stripe Elements integration (custom checkout), acquirer accepts SAQ D self-assessment. Year-one total: $18,000 to $35,000. SAQ D with consultant assist $10,000 to $15,000, ASV scanning $600 to $1,500, external pen test $7,000 to $12,000, tooling $3,000 to $5,000, year-one remediation $3,000 to $10,000. Renewal years drop to $15,000 to $25,000.

Scenario two. A mid-market e-commerce retailer with 4 million transactions per year, multi-region cloud CDE, custom checkout requiring PCI v4.0 Req 6.4.3 payment-page script management, acquirer accepts SAQ D self-assessment with annual security attestation. Year-one total: $30,000 to $50,000. SAQ D $15,000 to $20,000, ASV scanning $2,000, external pen test $15,000 to $20,000, script monitoring tooling $5,000, year-one remediation $5,000 to $15,000.

Scenario three. A regional retail chain with 3.5 million transactions per year across 80 stores, in-store P2PE terminals plus e-commerce SAQ A-EP, acquirer requires QSA-led annual assessment due to industry-sector risk classification. Year-one total: $55,000 to $85,000. QSA assessment $40,000 to $60,000 (ControlScan or boutique-tier QSA), ASV scanning $2,500, pen tests $10,000 to $15,000, tooling $5,000, year-one remediation $5,000 to $15,000. The acquirer-imposed QSA requirement adds roughly $35,000 versus the SAQ D path that this merchant might otherwise have used.

Level-2-specific cost levers

Three levers materially change Level 2 economics. First, the SAQ A migration. For Level 2 e-commerce merchants who can migrate from custom checkout to hosted checkout (Stripe Checkout, PayPal, Adyen Drop-in), the SAQ type changes from SAQ D (329 controls, $10,000 to $20,000) or SAQ A-EP (191 controls, $4,000 to $12,000) to SAQ A (22 controls, $500 to $2,000). This is the single highest-leverage cost reduction available at Level 2, often saving $10,000+ per year.

Second, the acquirer conversation. Acquirers who impose QSA-led assessment on Level 2 merchants can sometimes be persuaded to accept SAQ D if the merchant demonstrates strong security posture. The conversation is one meeting; the saving is potentially $30,000+ per year. This is most often successful for merchants moving from a higher-risk processor relationship to a standard-risk relationship.

Third, tokenisation for SAQ D scope reduction. For Level 2 merchants stuck on SAQ D because of card-on-file storage requirements (recurring billing, subscription, marketplace seller payouts), implementing tokenisation through Stripe, Braintree, Basis Theory, or VGS removes the card data storage from the merchant's environment and can move the SAQ classification to a simpler type. The tokenisation implementation cost ($2,000 to $10,000 one-off) typically pays back within the first compliance cycle.

Talk to your acquiring bank first

The PCI SSC publishes the merchant level framework. Your acquiring bank determines the assessment path. Get the path in writing before budgeting.

PCI SSC document library →

Frequently asked

Level 2 PCI compliance runs $10,000 to $50,000 in year one across all line items: SAQ D self-assessment ($5,000 to $20,000), ASV quarterly scanning ($400 to $3,200), annual external pen testing ($5,000 to $20,000), tooling and ongoing monitoring ($3,000 to $15,000), and year-one remediation ($3,000 to $30,000). If your acquiring bank requires a QSA-led assessment instead of SAQ D self-assessment, the cost moves to the lower Level 1 band of $40,000 to $80,000.

Level 1 PCI cost

$50k to $500k+ for 6M+ transactions per year.

Level 3 PCI cost

$5k to $20k for 20k to 1M e-com transactions.

SAQ D cost

$5k to $20k for the full-scope self-assessment.

SAQ A cost

The migration target for cost-conscious Level 2 e-commerce.

Reduce PCI costs

Seven proven cost-reduction strategies.

A-LIGN PCI cost

Mid-market commercial QSA pricing.