Definition

PCI DSS merchant levels

Contributor(s): Matthew Haughn

The PCI DSS merchant level (Payment Card Industry Data Security Standard merchant level) is a ranking of merchant transactions per year ranges broken down into four levels.

The payment card industry (PCI) uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass PCI DSS assessment.

Levels and securing required:

Merchant Level: 1

• Merchant Criteria:

1. Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year.

2. Any merchant that has had a data breach or attack that resulted in an account data compromise.

3. Any merchant identified by any card association as Level 1.

• Validation Requirements:

1. Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment - or internal auditor if signed by officer of the company.

2. Quarterly network scan by Approved Scan Vendor (ASV).

3. Attestation of Compliance Form.

Merchant Level: 2

• Merchant Criteria: 

1 million – 6 million Visa or MasterCard transactions annually (all channels).

• Validation Requirements for VISA and MasterCard: 

1. Annual Self-Assessment Questionnaire (“SAQ”). 

2. Quarterly network scan by ASV. 

3. Attestation of Compliance Form.

Merchant Level: 3

• Merchant Criteria: 

Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually.

• Validation Requirements for VISA and MasterCard: 

1. Annual Self-Assessment Questionnaire (“SAQ”). 

2. Quarterly network scan by ASV. 

3. Attestation of Compliance Form.

Merchant Level: 4

• Merchant Criteria: 

Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.

• Validation Requirements for VISA and MasterCard: 

1. Annual Self-Assessment Questionnaire (“SAQ”). 

2. Quarterly network scan by ASV. 

3. Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.

 

This was last updated in June 2015

Continue Reading About PCI DSS merchant levels

Dig Deeper on PCI Data Security Standard

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

File Extensions and File Formats

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close