PCI DSS Merchant Levels
The Payment Card Industry Data Security Standard (PCI DSS) defines different merchant levels based on the annual volume of card transactions processed by a merchant. These merchant levels help determine the specific requirements and validation procedures that merchants must follow to ensure the security of cardholder data. The PCI DSS has four main merchant levels:
1. Merchant Level 1: This level includes merchants that process over 6 million Visa or Mastercard transactions per year, or any merchant designated as Level 1 by their payment card brand. It also encompasses merchants who have suffered a significant data breach in the past. Level 1 merchants have the highest level of security requirements and must undergo an annual onsite assessment by a Qualified Security Assessor (QSA).
2. Merchant Level 2: This level applies to merchants that process between 1 and 6 million Visa or Mastercard transactions per year. Level 2 merchants must complete an annual self-assessment questionnaire (SAQ) and conduct quarterly network vulnerability scans using an Approved Scanning Vendor (ASV).
3. Merchant Level 3: This level includes merchants that process between 20,000 and 1 million Visa or Mastercard e-commerce transactions per year. Similar to Level 2, Level 3 merchants must complete an annual SAQ and perform quarterly network vulnerability scans.
4. Merchant Level 4: This level encompasses merchants that process fewer than 20,000 Visa or Mastercard e-commerce transactions per year, or up to 1 million Visa or Mastercard transactions in other channels. Level 4 merchants must complete an annual SAQ and may need to perform network vulnerability scans, depending on the requirements of their payment card brand.
It's important to note that the specific requirements and validation procedures may vary based on factors such as the payment card brand, the merchant's payment processing method (e-commerce, point of sale, etc.), and the merchant's relationship with the acquiring bank. Merchants should consult the PCI DSS documentation and work with their payment card brand and acquiring bank to determine their exact merchant level and corresponding compliance obligations.