How do PCI Merchant Levels Determine PCI Compliance?

Learn more about PCI merchant levels and how they affect PCI requirements.

Did you know that merchants have different PCI requirements depending on their level? Did you know there are different levels of merchants? The number and type of requirements will vary based on the number of transactions processed annually, which determines your merchant level.

What’s a merchant?

For the sake of clarity, we’ll start off by defining a merchant. In terms of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Basically, if your business takes these types of cards as payment, you’re defined as a merchant.

Keep in mind that a merchant that accepts cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants.

See also: What are Service Provider Levels and How Do They Affect PCI Compliance?‍

Merchants have 4 levels, depending on how many transactions they do annually. Here’s what the PCI DSS requires from each level. (Note that the number of transactions are based off of Visa’s parameters.)

See also: 5 Simple Ways to Get PCI Compliant

Level 1 Merchant

Merchants that process more than 6,000,000 transactions annually. These are the enterprise organizations that deal with a high volume of card data and processing.

See also: 5 PCI Compliance Tips for Enterprise Organizations‍

Key PCI Requirements:

• Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
• Quarterly network scan by Approved Scanning Vendor (ASV)
• Penetration Test
• Internal Scan
• Attestation of Compliance Form

See also: SecurityMetrics PCI Guide

Level 2 Merchant

Merchants that process about 1,000,000 to 6,000,000 transactions annually. These are businesses that still process a lot of card data, but not as much as Level 1 merchants.

Key PCI Requirements:

• Annual Self-Assessment Questionnaire (SAQ) if organization has a certified Internal Security Assessor (ISA) on staff or Onsite Assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA)
• Quarterly network scan by ASV
• Attestation of Compliance Form
• Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan)

Level 3 and Level 4 Merchants

‍Level 3 merchants are e-commerce merchants that process 20,000 to 1,000,000 transactions annually.

Level 4 merchants include small e-commerce businesses and those that process less than 20,000 transactions annually.

These are your smaller businesses that may only have a few POS machines, or don’t handle a lot of card data.‍

Key PCI Requirements:

• Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
• Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan)

See also: 7 PCI Compliance Tips for Small Businesses

‍Tips to get PCI compliant

‍If you’re a merchant, make sure you know what level you are since each level may have some different requirements from PCI. As you can see, Level 3 and 4 merchants have fewer requirements than level 1 and 2 merchants.

Here a few tips to help you get PCI compliant:

• Talk with a PCI professional: PCI compliance can get a little complex. Talk to a Qualified Security Assessor (QSA) to see what elements of the PCI DSS your business needs to focus on.
• Understand your PCI scope: Track where your card moves in and out of your network. This will help you determine which areas of your business environment need to be secured.
• Document everything: Having proper documentation with your policies and procedures will help you give proof of PCI compliance and help you stay organized in security.

See also: The Importance of the PCI DSS: Why You Should Get Compliant‍

Want more information about your own PCI requirements? Read the SecurityMetrics Guide to PCI DSS Compliance!