PCI DSS merchant levels

What are PCI DSS merchant levels?

Payment Card Industry Data Security Standard (PCI DSS) merchant levels rank merchants based on their number of transactions per year to outline compliance verification requirements. Merchants are broken down into four levels: 1, 2, 3 and 4.

PCI uses merchant levels to determine risk and the appropriate level of security for merchant businesses. Merchant levels include assessment and security validation required for merchants to pass PCI DSS compliance.

PCI DSS was created by credit card companies Visa, Mastercard, Discover, JCB and American Express in 2004 to decrease the risk of debit and credit card fraud and data loss. In 2006, the PCI Security Standard Council (PCI SSC) was established to carry out their mission.

PCI DSS details how online fraud and data loss can be prevented and detected and how companies should react in the event of a data breach. It offers protection for cardholders and merchants.

Merchants that don't follow the requirements could face fines and be restricted from processing card payments.

PCI DSS merchant levels

Although PCI SSC sets security standards, each payment card brand has its own program for compliance, validation levels and enforcement. In general, the four PCI DSS merchant levels are the following:

  • Level 1. Merchants with over 6 million transactions a year, across all channels.
  • Level 2. Merchants with between 1 million and 6 million transactions annually, across all channels.
  • Level 3. Merchants with between 20,000 and 1 million online transactions annually.
  • Level 4. Merchants with fewer than 20,000 online transactions annually or any merchant that processes up to 1 million regular transactions per year.
Graphic of PCI DSS merchant levels
PCI DSS merchants can be grouped into four categories, based on transactions per year.

Why merchant levels are used

Merchant levels determine the amount of assessment and security validation required for a merchant to pass a PCI DSS assessment and maintain PCI DSS compliance.

Level 1, Level 2 and Level 3 merchants must report their PCI compliance status directly to their acquiring banks. Level 4 merchants should consult their acquiring banks to determine if they are required to validate their PCI compliance.

Level 1 merchants must submit an annual Report on Compliance, also known as a Level 1 on-site assessment, by a Qualified Security Assessor or an internal audit if signed by an officer of the company. A quarterly network scan by an Approved Scanning Vendor (ASV) is also required for Level 1 merchants, as well as an Attestation of Compliance form. Level 2 and Level 3 merchants must complete an annual self-assessment questionnaire and have a quarterly external vulnerability scan by an ASV. Level 4 merchants may have different requirements, depending on their acquirer.

Who do PCI DSS levels apply to?

PCI DSS levels apply to all merchants, processors, acquirers, issuers and service providers, regardless of size or number of transactions, that accept, transmit or store cardholder data.

What are the penalties for PCI DSS noncompliance?

Merchants need to verify their transaction volumes from the past 52 weeks with the assistance of their acquiring banks to ensure they're doing everything necessary to meet compliance requirements.

All merchants must follow the PCI requirements outlined for their level. Merchants may need the help of approved vendors or payment processing partners to conduct validation. When validation has been completed and sent to the merchants' acquiring banks, acquirers send their merchants' compliance status to the card brands they do business with.

Card companies can charge merchants that are not in compliance with PCI DSS penalties that range from $5,000 to $100,000 per month until they address each compliance issue.

Penalties depend on a merchant's volume of clients, volume of transactions, merchant level and how long it has been noncompliant. If a merchant doesn't resolve the problem to the satisfaction of the card company, the merchant's ability to accept card payments may be revoked.

The Federal Trade Commission (FTC) monitors organizations that don't comply with PCI DSS. In addition to imposing strict regulations, the FTC can also penalize companies for noncompliance.

Editor's note: This article was republished in March 2023 to improve the reader experience.

This was last updated in March 2023

Continue Reading About PCI DSS merchant levels

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing