PCI DSS merchant levels

The PCI DSS (Payment Card Industry Data Security Standard) merchant levels are rankings of merchant transactions per year broken down into four levels. The payment card industry (PCI) uses merchant levels to determine risk from fraud and to ascertain the appropriate level of security for their businesses. Merchant levels determine the amount of assessment and security validation required for the merchant to pass PCI DSS assessment. The PCI DSS itself specifies steps that all merchants who process card payments and store or transmit credit, debit or prepaid card information must follow to provide secure transactions.

To ensure that any payment or customer data they transmit, process or store is secure all merchants are required to adhere to one of the four levels of PCI compliance established by the PCI SSC (PCI Security Standards Council).

Originally created by credit card companies Visa, MasterCard, Discover and American Express in 2004, the goal of PCI DSS is to decrease the risk of debit and credit card fraud and data loss.

The standard provides information about how online fraud and data loss can be prevented and detected and how companies should react in the event of data breaches. The PCI DSS offers protection for cardholders as well as merchants.

Merchants that don't follow the requirements could face fines as well as be prevented from processing card payments. Although the PCI SSC sets the PCI Security Standards, each payment or credit card brand has its own program for compliance, validation levels and enforcement.

PCI DSS merchant levels

The PCI DSS merchant levels include:

  • Level 1: Merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach
  • Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
  • Level 3: Merchants with between 20,000 and 1 million online transactions annually.
  • Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

Why merchant levels are used

The payment card industry uses merchant levels to determine the amount of assessment and security validation that is required for the merchant to pass a PCI DSS assessment.

All levels, except Level 1, must complete a self-assessment questionnaire as well as have a quarterly external vulnerability scan using an Approved Scanning Vendor (ASV). Level 1 merchants are required to have onsite data security assessments.

Merchants categorized as Level 1, Level 2 or Level 3 are required to report their PCI compliance status directly to their acquiring banks. Merchants classified as Level 4 should consult their acquiring banks to determine if they are required to validate their PCI compliance.

For Level 1 merchants, compliance with the PCI DSS requires submission of an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), also known as a Level 1 onsite assessment, or internal auditor if signed by officer of the company; a quarterly network scan by Approved Scanning Vendor is also required as is an Attestation of Compliance form.

Typical compliance requirements for Level 2, Level 3 and Level 4 merchants include submission of an Annual Self-Assessment Questionnaire (SAQ), a quarterly network scan by an ASV and an Attestation of Compliance form; however, Level 4 merchants may not be subject to all these requirements.

Who the PCI DSS levels apply to

The PCI DSS levels apply to all merchants, processors, acquirers, issuers and service providers, regardless of size or number of transactions, that accept, transmit or store online any cardholder data.

Penalties for non-compliance with PCI DSS

To ensure that they're doing everything necessary to meet the compliance requirements, merchants need to verify their transaction volumes from the past 52 weeks with the assistance of their acquiring banks.

Merchants at every level must also be sure they're following all the PCI requirements for their particular levels. Merchants may also need the help of approved vendors or payment processing partners to conduct the validation. When the validation has been completed and sent to the acquiring banks, those banks will then pass on their merchants' compliance status to the card brands with which they do business.

The card companies can charge merchants that are not in compliance with PCI DSS penalties that range from $5,000 to $100,000 per month until they address each compliance issue.

The penalties depend on the merchant's volume of clients, volume of transactions, level of PCI DSS that the company should be on, and how long it has been non-compliant. If the merchant doesn't resolve the problem to the satisfaction of the card company, the merchant's ability to accept cards may be revoked.

The Federal Trade Commission also monitors organizations that don't comply with PCI-DSS. In addition to imposing its strict regulations, the FTC can also penalize companies for non-compliance.

This was last updated in December 2018

Continue Reading About PCI DSS merchant levels

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing