What volume defines Level 3 PCI?

Visa and Mastercard set Level 3 as 20,000 to 1 million e-commerce-channel transactions per year. Level 3 is the only PCI level defined specifically by e-commerce-channel volume rather than total transaction volume. A merchant with 500,000 in-person transactions and 50,000 e-commerce transactions is Level 3 by e-commerce count, not Level 2 by total count. American Express defines Level 3 differently (50,000 to 2.5 million transactions total) and Discover defines it differently again. The e-commerce-channel-specific definition is what makes Level 3 the highest-impact level for PCI v4.0 Req 6.4.3 script management requirements.

Why is PCI v4.0 Req 6.4.3 so important for Level 3?

Because Level 3 e-commerce merchants are exactly the size that build custom checkouts. Too small to invest in full enterprise security teams, too big to be comfortable with the limited customisation of Stripe Checkout or PayPal hosted. The result is a typical Level 3 e-commerce merchant running Stripe Elements, Braintree Drop-in, or custom iframe integration which falls under SAQ A-EP and the new PCI v4.0 Req 6.4.3 payment-page script management requirement that became mandatory in March 2025. The compliance evidence is non-trivial and the year-one tooling spend ($2,000 to $5,000 for products like c/side, Jscrambler, Source Defense) is the single new cost item for Level 3 in 2026 versus prior years.

Do Level 3 merchants need a QSA?

No. Level 3 merchants self-assess via the appropriate Self-Assessment Questionnaire (typically SAQ A for hosted-checkout merchants or SAQ A-EP for custom-checkout merchants) and submit attestation through the acquiring bank or a compliance portal. QSA engagement is optional. Some Level 3 merchants engage a consultant or QSA for SAQ A-EP review ($2,000 to $5,000 one-off) to ensure the self-assessment is accurate, but a full QSA-led on-site assessment is not required at Level 3.

Can a Level 3 merchant use SAQ A instead of SAQ A-EP?

Yes if the payment integration qualifies. SAQ A applies to e-commerce merchants who fully redirect to a hosted payment page where cardholder data never touches the merchant's domain. Stripe Checkout, PayPal hosted, Shopify Payments hosted, and similar integrations all qualify for SAQ A. SAQ A-EP applies to e-commerce merchants whose website can influence the payment page security, including Stripe Elements, Braintree Drop-in, and any iframe-based integration where the merchant's domain renders the iframe. The compliance cost gap between SAQ A ($500 to $2,000) and SAQ A-EP ($4,000 to $12,000 plus script monitoring) is large, so the migration to SAQ A is the single highest-leverage cost reduction available at Level 3.

What pushes a Level 3 merchant up to Level 2?

Two triggers. First, transaction growth: passing 1 million e-commerce transactions per year pushes the merchant to Level 2 designation for the next ROC cycle. Second, total transaction growth: a merchant with 1 million plus total transactions across all channels (even if e-commerce remains below 1 million) crosses into Level 2 territory by total volume. Acquirer or card brand discretion can also push a Level 3 merchant up to Level 2 based on industry-sector risk or breach history, though this is less common at the Level 3 to Level 2 boundary than at the Level 2 to Level 1 boundary.

How long does Level 3 PCI compliance take?

One to three months end to end for first-time SAQ A or SAQ A-EP completion. SAQ A is the fastest at typically 2 to 4 weeks. SAQ A-EP runs 4 to 12 weeks because of the additional script management evidence collection and remediation. For merchants migrating from custom checkout to hosted checkout to qualify for SAQ A, add 4 to 8 weeks of development time on the checkout migration itself. Most Level 3 merchants are well-suited to compliance with internal effort plus 5 to 20 hours of external consultant time at $200 to $400 per hour.

Cost by level

Level 3 PCI compliance cost 2026: e-commerce SAQ pricing read

Level 3 is the e-commerce-specific PCI level. The defining cost dynamic in 2026 is PCI v4.0 Requirement 6.4.3 payment-page script management, which became mandatory in March 2025 and added a meaningful new tooling line item for any Level 3 merchant on custom checkout integration.

Updated April 2026

Year 1 total

$5k - $20k

SAQ A: $5k-$8k; SAQ A-EP: $15k-$25k

Volume threshold

20k - 1M

E-commerce transactions per year (V/MC)

QSA required

No (self-assess via SAQ)

The Level 3 e-commerce-specific definition

Level 3 is the only PCI level defined by channel-specific transaction volume. Visa and Mastercard set it as 20,000 to 1 million e-commerce-channel transactions per year. A merchant with 500,000 in-person transactions and 50,000 e-commerce transactions is Level 3 for PCI purposes. A merchant with 100,000 in-person and 0 e-commerce transactions is Level 4 even though total volume is higher than the Level 3 floor. The e-commerce-channel definition matters because the Level 3 compliance obligation is essentially an e-commerce checkout security exercise rather than a payment-environment-wide exercise.

This channel-specific framing makes Level 3 the level most affected by PCI v4.0 changes targeting e-commerce specifically. Requirement 6.4.3 (payment-page script management), which became mandatory in March 2025, applies to any e-commerce merchant whose website can affect the security of the payment page. This includes all SAQ A-EP merchants, which is to say most Level 3 merchants with custom checkout integration. The compliance evidence requires either a payment-page script monitoring tool or extensive manual evidence collection, and this is the single new cost item for Level 3 merchants in 2026 versus prior years.

For merchants whose e-commerce volume is approaching but not yet exceeding 1 million transactions per year, the planning conversation is when the upgrade to Level 2 triggers. Acquirers vary on how strictly they enforce the threshold; some upgrade designation at the first quarter showing the merchant has crossed, others wait for the annual review. Confirm the upgrade trigger with your acquirer if Level 2 designation is on the horizon.

Full Level 3 cost decomposition

Line item	SAQ A merchant	SAQ A-EP merchant
SAQ completion	$500 - $2,000	$4,000 - $12,000
ASV quarterly scanning	$400 - $1,000	$600 - $1,500
Annual external pen test	Not required	$5,000 - $10,000
Payment-page script monitoring (Req 6.4.3)	Not required	$2,000 - $5,000
Tooling and continuous monitoring	$500 - $2,000	$1,500 - $5,000
Year 1 remediation (one-off)	$500 - $3,000	$3,000 - $10,000

Anchored to Vendr aggregated buyer data, public consulting rate cards, and Req 6.4.3 tooling product pricing from c/side, Jscrambler, and Source Defense.

Three concrete Level 3 scenarios

Scenario one. A Shopify store with 200,000 transactions per year, all payments through Shopify Payments (hosted), no custom payment page integration. Year-one total: $300 to $800. SAQ A through the SecurityMetrics bundled product, ASV scanning bundled, no Req 6.4.3 obligation because the payment page is hosted by Shopify outside the merchant's PCI scope. This is the practical floor for a Level 3 merchant on hosted checkout.

Scenario two. A direct-to-consumer brand with 500,000 transactions per year, custom Next.js storefront with Stripe Elements integration, requires SAQ A-EP and PCI v4.0 Req 6.4.3 compliance. Year-one total: $12,000 to $22,000. SAQ A-EP completion with consultant assist $5,000 to $8,000, ASV scanning $1,000, external pen test $7,000 to $10,000 (required for SAQ A-EP), script monitoring tooling deployment $3,000, year-one remediation $2,000 to $5,000.

Scenario three. A digital-goods marketplace with 800,000 transactions per year, custom checkout integrating multiple payment methods (Stripe, PayPal, Apple Pay, Google Pay), payment-page complexity requires both SAQ A-EP scope and significant Req 6.4.3 evidence collection. Year-one total: $20,000 to $35,000. SAQ A-EP completion $8,000 to $12,000, ASV scanning $1,500, external pen test $10,000 to $15,000, script monitoring with enterprise tier deployment $5,000, year-one remediation $5,000 to $10,000.

Level-3-specific cost levers

Three levers materially change Level 3 economics. First, the SAQ A migration discussed above. The cost gap between SAQ A and SAQ A-EP is roughly 3 to 4x, and the migration is usually a 4 to 8 week development effort. For Level 3 merchants currently on SAQ A-EP, this is the first conversation to have.

Second, the bundled SAQ-plus-ASV product through SecurityMetrics or a similar SMB-focused PCI provider. For Level 3 SAQ A merchants, the bundled product at $200 to $500 per year is the cheapest legitimate compliance path. For SAQ A-EP merchants, the bundled approach is less common because SAQ A-EP completion typically requires consulting depth that the SMB portal products do not provide.

Third, payment-page script monitoring tool selection. For SAQ A-EP merchants required to deploy a Req 6.4.3 tool, the market includes pure-play products (c/side, Jscrambler, Source Defense at $3,000 to $8,000 per year), CDN-integrated alternatives (Cloudflare Page Shield, Akamai Script Manager included with CDN subscriptions), and enterprise script integrity platforms. Evaluating these options carefully can save $2,000 to $5,000 per year in tooling cost. Buyers already on Cloudflare for CDN should evaluate Page Shield first; the additional cost is often minimal.

Get the PCI SSC SAQ documents

The PCI SSC publishes SAQ A, SAQ A-EP, and the other SAQ types in the official document library. Reading the actual SAQ before scoping the engagement saves time and cost.

PCI SSC document library →

Frequently asked

Level 3 PCI compliance runs $5,000 to $20,000 in year one across all line items: SAQ A or A-EP completion ($1,000 to $5,000), ASV quarterly scanning ($400 to $1,500), annual external pen testing ($5,000 to $10,000), payment-page script monitoring tooling for SAQ A-EP merchants ($2,000 to $5,000), tooling and ongoing monitoring ($1,000 to $5,000), and year-one remediation ($1,000 to $10,000). The wide range reflects the difference between a Stripe-Checkout-only Level 3 merchant ($5,000 to $8,000 year one) and a custom-checkout Level 3 with PCI v4.0 Req 6.4.3 scope ($15,000 to $25,000 year one).

Level 2 PCI cost

$10k to $50k for 1M-6M transactions per year.

Level 1 PCI cost

$50k to $500k+ for 6M+ transactions per year.

SAQ A cost

Hosted-checkout e-commerce, the migration target.

v4 vs v3 cost delta

What 4.0 added to the bill (Req 6.4.3).

Reduce PCI costs

Seven proven cost-reduction strategies.

SecurityMetrics PCI cost

SMB-focused, the bundled product fits Level 3 SAQ A.