Definition

PCI DSS merchant levels

Contributor(s): Matthew Haughn

The PCI DSS merchant level (Payment Card Industry Data Security Standard merchant level) is a ranking of merchant transactions per year ranges broken down into four levels.

The payment card industry (PCI) uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass PCI DSS assessment.

Levels and securing required:

Merchant Level: 1

• Merchant Criteria:

1. Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year.

2. Any merchant that has had a data breach or attack that resulted in an account data compromise.

3. Any merchant identified by any card association as Level 1.

• Validation Requirements:

1. Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment - or internal auditor if signed by officer of the company.

2. Quarterly network scan by Approved Scan Vendor (ASV).

3. Attestation of Compliance Form.

Merchant Level: 2

• Merchant Criteria: 

1 million – 6 million Visa or MasterCard transactions annually (all channels).

• Validation Requirements for VISA and MasterCard: 

1. Annual Self-Assessment Questionnaire (“SAQ”). 

2. Quarterly network scan by ASV. 

3. Attestation of Compliance Form.

Merchant Level: 3

• Merchant Criteria: 

Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually.

• Validation Requirements for VISA and MasterCard: 

1. Annual Self-Assessment Questionnaire (“SAQ”). 

2. Quarterly network scan by ASV. 

3. Attestation of Compliance Form.

Merchant Level: 4

• Merchant Criteria: 

Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.

• Validation Requirements for VISA and MasterCard: 

1. Annual Self-Assessment Questionnaire (“SAQ”). 

2. Quarterly network scan by ASV. 

3. Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.

 

This was last updated in June 2015

Continue Reading About PCI DSS merchant levels

Dig Deeper on PCI Data Security Standard

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

Extensiones de Documento y Formatos de Documento

Accionado por:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close