PCI DSS Compliance Levels — Which Level Applies to Your Business?

Why PCI DSS Levels Matter for Saudi Enterprises

Card-not-present fraud, data breaches at payment gateways, and non-compliance penalties are rising across the GCC. Saudi Arabia's fintech sector is projected to grow at over 20% CAGR through 2028, and the Saudi Central Bank (SAMA) mandates that all financial institutions handling cardholder data comply with PCI DSS as part of the SAMA Cybersecurity Framework (CSF). Beyond SAMA, the National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC) also overlap with PCI DSS requirements around access control, logging, and vulnerability management.

PCI DSS compliance levels directly impact:

• Validation cost: Level 1 merchants require an on-site QSA assessment (ROC), which can cost SAR 100,000–300,000+. Level 4 merchants may only need a self-assessment (SAQ).
• Audit frequency: Higher levels require annual on-site assessments plus quarterly network scans by an Approved Scanning Vendor (ASV).
• Liability: If a breach occurs, non-compliant merchants face fines, card scheme penalties, and potential loss of acquiring bank relationships.

For Saudi enterprises — particularly those processing payments for government services, e-government portals, or Saudi fintech platforms — misclassifying your PCI level can lead to regulatory friction with SAMA or CITC.

Merchant Levels 1–4 Explained

The PCI SSC defines merchant levels based primarily on Visa transaction volumes over a rolling 12-month period. Mastercard, American Express, Discover, and JCB have similar tiering, with minor variations. Below is the definitive breakdown for Visa, which is the most widely adopted standard globally and in the GCC.

Level 1 Merchants

Criteria: Over 6 million Visa transactions per year (all channels). Also includes any merchant that has suffered a data breach or that is deemed high-risk by Visa or the acquiring bank.

Validation requirements:

• Annual on-site ROC by a QSA
• Quarterly ASV network scans
• Attestation of Compliance (AOC) submission

SAQ eligibility: None. Level 1 merchants are not permitted to use any SAQ — they must undergo a full ROC.

Saudi context: Large Saudi banks (e.g., SNB, Al Rajhi), major telecom operators (STC, Zain, Mobily), and large e-commerce platforms like Noon or Jarir Bookstore typically fall into Level 1. If you process over SAR 50 million in card transactions annually, you are likely Level 1.

Level 2 Merchants

Criteria: 1 million to 6 million Visa transactions per year (all channels).

Validation requirements:

• Annual SAQ (eligible type depends on processing channel)
• Quarterly ASV network scans
• Annual ROC may be required by the acquiring bank

SAQ eligibility: SAQ A, A-EP, B, B-IP, C, C-VT, D (Merchant or Service Provider) — depending on the cardholder data environment.

Saudi context: Mid-sized Saudi retailers, regional hotel chains, and growing fintech platforms (e.g., Tamam, Lean) often fall into Level 2. Many have complex hybrid environments (e-commerce + POS + call center) that require SAQ D.

Level 3 Merchants

Criteria: 20,000 to 1 million Visa e-commerce transactions per year.

Validation requirements:

• Annual SAQ (typically SAQ A or A-EP for e-commerce)
• Quarterly ASV network scans

SAQ eligibility: SAQ A or A-EP are most common, but if the merchant stores, processes, or transmits cardholder data on-premises, SAQ D may be required.

Saudi context: Small-to-medium Saudi e-commerce stores, cloud-based payment gateways, and subscription-based services that process between 20k and 1M transactions. Many use Shopify, WooCommerce, or local Saudi payment gateways (e.g., PayTabs, HyperPay).

Level 4 Merchants

Criteria: Fewer than 20,000 Visa e-commerce transactions per year, and up to 1 million total transactions (non e-commerce).

Validation requirements:

• Annual SAQ (typically SAQ A for fully outsourced card processing)
• Quarterly ASV network scans (if applicable)

SAQ eligibility: SAQ A is most common — but only if the merchant has fully outsourced all cardholder data processing to a PCI-compliant third party and does not store, process, or transmit any card data electronically.

Saudi context: Small Saudi restaurants, local service providers, and individual entrepreneurs using CPay or similar Saudi POS terminals. Many incorrectly assume they are exempt — but PCI DSS applies to any entity that accepts card payments, regardless of size.

Service Provider Levels

Service providers — including payment gateways, hosting providers, acquirers, and fraud detection platforms — are classified separately by Visa and the PCI SSC. The most widely used classification is Visa's service provider tiers:

Saudi fintech companies and payment service providers registered with SAMA are automatically expected to meet Tier 1 service provider requirements. The NCA ECC compliance services in Saudi Arabia framework also applies parallel controls for logging, monitoring, and incident response that align with PCI DSS requirements 10 and 12.

SAQ Types and Which Level Can Use Them

The Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers that are not required to undergo a full on-site ROC. However, not all SAQs are available to all levels. The table below shows which SAQ types align with which PCI merchant level and processing environment.

Saudi merchants often assume they qualify for the simpler SAQ A, but our assessments show that over 40% of Saudi small-to-medium enterprises inadvertently store cardholder data in logs, databases, or email records — which immediately invalidates SAQ A eligibility and requires at minimum SAQ C or D. CyberSilo's PCI DSS compliance services in Saudi Arabia include a thorough cardholder data discovery scan to determine your actual SAQ eligibility.

Validation and Reporting Timeline by Level

The frequency of validation varies by level. Below is the typical schedule for Saudi entities:

• Level 1: On-site ROC every 12 months. Quarterly ASV network scans. Evidence of passing scans must be submitted within 30 days of scan completion.
• Level 2: SAQ submission annually (within 90 days of fiscal year end). Quarterly ASV scans. Some acquiring banks may request a gap assessment ROC.
• Level 3: SAQ submission annually. Quarterly ASV scans. Must maintain evidence of passing scan for each quarter.
• Level 4: SAQ submission annually. Quarterly ASV scans (only if your environment requires them based on SAQ type).

Saudi organizations registered with SAMA must also align their PCI DSS validation cycle with SAMA CSF reporting requirements — often resulting in a combined assessment. CyberSilo's Compliance Standards Automation platform can synchronize PCI DSS validation tasks with NCA ECC and SAMA CSF calendars to eliminate redundant effort.

Frequently Asked Questions

How do I know if I am a Level 1 or Level 2 merchant in Saudi Arabia?

Your PCI level is determined by your total Visa transaction volume over the previous 12 months. If you exceed 6 million Visa transactions, you are Level 1. Between 1 million and 6 million, you are Level 2. Your acquiring bank (e.g., SNB, Al Rajhi, Alinma) maintains this volume data and can confirm your classification. For non-Visa card schemes (Mastercard, Amex), similar volume thresholds apply but may vary slightly.

Can a Saudi e-commerce merchant use SAQ A if they use PayTabs or HyperPay?

Only if the merchant has entirely outsourced all cardholder data processing to the payment gateway and does not store, process, or transmit any cardholder data electronically. This means no customer database with stored PANs, no email containing full card numbers, and no log files with card data. Most Saudi e-commerce merchants who manage their own customer accounts or order history will require at minimum SAQ A-EP or SAQ D.

What happens if a Saudi merchant misclassifies their PCI DSS level?

Misclassification can result in submitting the wrong SAQ type, which may be rejected by your acquiring bank. In serious cases, the bank may flag you as non-compliant, impose higher transaction fees, increase reserve requirements, or terminate your merchant agreement. For SAMA-regulated entities, misclassification could also trigger regulatory scrutiny under SAMA CSF and NCA ECC frameworks.

Do I need a QSA for Level 2 in Saudi Arabia?

Level 2 merchants can typically use a SAQ, but many Saudi acquiring banks now require a ROC by a QSA if your environment involves complex or multiple processing channels. Additionally, if you are a Level 2 merchant that also serves as a service provider (e.g., you process payments for other businesses), you may be reclassified as a Tier 1 service provider and need a ROC.

How does PCI DSS Level 1 intersect with SAMA CSF in Saudi Arabia?

Both frameworks require robust access controls, logging and monitoring, vulnerability management, and incident response. SAMA CSF’s control domains (e.g., Cybersecurity Operations, Identity and Access Management) directly map to PCI DSS requirements 7, 8, 10, and 11. A combined assessment approach using a unified automation platform can reduce duplication and audit fatigue. CyberSilo's SAMA CSF compliance services in Saudi Arabia are designed to align both frameworks efficiently.