A Comprehensive Guide to PCI DSS Merchant Levels

By Aaron Lumnah, Digital Marketing Manager

If you’re a merchant taking credit card payments through any channel, whether at the point of sale (POS), over the phone, or through e-commerce, you’ll know that you’re required to comply with the Payment Card Industry Data Security Standard, or PCI DSS for short. While compliance can bring different requirements depending on a merchant’s payment environment, it’s best to understand the basics and build from there.

To help you understand the different PCI DSS merchant levels and how they affect your compliance efforts, we’ve compiled a comprehensive guide. Read on to learn more.

History of the PCI DSS

The PCI DSS was conceived in 2004 after five of the largest payment card issuers—Visa, Mastercard, American Express, Discover, and JCB formed a consortium called the Payment Card Industry Security Standards Council (PCI SSC) to tackle the ever-growing issue of card fraud. Instead of burdening merchants with five separate security standards, they decided to pool their resources and create a single, comprehensive standard that all five providers would accept.

As the cybersecurity landscape has continued to evolve over the years, the PCI DSS has had to change over time to address new threats and tactics in order to mitigate fraudsters. Since the initial release of the PCI DSS 1.0 version in 2004, the standard has undergone several revisions since, with the latest one version 3.2, released in 2016. Unfortunately for merchants, the amount of associated security controls has steadily increased with each revision, with the maximum number currently resting at a whopping 404.

> Download Now: PCI DSS Compliance Checklist for Call & Contact Centers  <http://info.semafone.com/download-now-pci-compliance-checklist>

Fortunately, the amount of controls greatly depends on the amount of transactions processed by the merchant per year.

PCI DSS Merchant Levels

There are several merchant levels, each with a slightly different list of requirements, and largely determined by the number of transactions processed each year.

Why define separate levels in the first place? As Margaret Rouse puts it in her article on the subject, “The payment card industry (PCI) uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass PCI DSS assessment.”

At an extremely high level, the PCI DSS merchant levels are as follows:

  • Level 1 – Over 6 million transactions annually
  • Level 2 – Between 1 and 6 million transactions annually
  • Level 3 – Between 20,000 and 1 million transactions annually
  • Level 4 – Less than 20,000 transactions annually

While these tiers seem relatively straightforward at first glance, delving deeper, it may be difficult to discern exactly which one your organization falls into because the card issuers each maintain their own table of merchant levels. You’ll find that each one defines their levels a bit differently.

Even though the card issuers define their own levels, it’s important to note that Discover, Visa, and Mastercard all use the same general criteria to define theirs, with a few minor differences. Though JCB and American Express have their own versions, it is generally accepted that if you are a level for one provider, you will be considered the same for all, with a few minute exceptions. To learn more about these exceptions, refer to this great blog post by our friend Jeff Hall over at the PCI Guru.

To view each card issuer’s table of merchant levels, use the links below:

Taking a closer look, the merchant levels are as follows:

Level 1

  • Criteria:
    • Merchants processing more than 6 million Visa, Mastercard, or Discover transactions annually via any channel
    • Merchants processing more than 2.5 million American Express transactions annually
    • Merchants processing more than 1 million JCB transactions annually
    • Merchants that have suffered a data breach or cyberattack that resulted in cardholder data being compromised
    • Merchants that have been identified by another card issuer as Level 1
  • Validation Requirements:
    • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
    • Quarterly network scan by Approved Scan Vendor (ASV)
    • Attestation of Compliance Form

Level 2

  • Criteria:
    • Merchants processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel
    • Merchants processing between 50,000 to 2.5 million American Express transactions annually
    • Merchants processing less than 1 million JCB transactions annually
  • Validation Requirements:
    • Annual Self-Assessment Questionnaire (SAQ)
    • Quarterly network scan by Approved Scan Vendor (ASV)
    • Attestation of Compliance Form

Level 3

  • Criteria:
    • Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually
    • Merchants processing 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually
    • Merchants that process 20,000 to 1 million Discover card-not-present only transactions annually
    • Less than 50,000 American Express transactions
  • Validation Requirements:
    • SAQ
    • Quarterly network scan by ASV
    • Attestation of Compliance Form

Level 4

  • Criteria:
    • Merchants processing less than 20,000 Visa or Mastercard e-commerce transactions annually
    • All other merchants processing up to 1 million Visa or Mastercard transactions annually
  • Validation Requirements:
    • These largely depend on the requirements of the merchant’s acquiring bank
    • Typically include an SAQ and Quarterly Network Scan by ASV

As you can see, the validation requirements vary greatly among levels. While merchants in level 1 have the most expensive and resource intensive requirements that require outside validation, those in level 4 have much simpler and inexpensive ones.

Download Now: PCI DSS Compliance Checklist

What Is a Report on Compliance (ROC)?

All Level 1 merchants must complete a Report on Compliance as part of their annual assessment for PCI DSS compliance. Every ROC contains six sections, which taken together form a wide-ranging report:

  • Section 1: Contact Information and Report Date
  • Section 2: Summary Overview
  • Section 3: Description of Scope of Work and Approach Taken
  • Section 4: Details about Reviewed Environment
  • Section 5: Quarterly Scan Results
  • Section 6: Findings and Observation

A Qualified Security Assessor must complete an ROC as part of their regularly scheduled audit of the organization, and they then must submit it to the organization’s acquiring bank, who sends it on to Visa for compliance verification.

Learn more about ROCs here.

What Is a Self-Assessment Questionnaire (SAQ)?

Smaller merchants typically complete SAQs instead of working externally with QSAs to certify PCI DSS compliance. As the name implies, the SAQ serves as a self-validation tool that organizations can complete on their own. It consists of a series of Yes or No questions relating to the 12 requirements of the PCI DSS, with “No” answers requiring an attached remediation plan describing the organization’s actions it plans to take to solve the issue. In addition to the set of questions, the SAQ also requires an Attestation of Compliance.

The PCI SSC distributes nine questionnaires corresponding to different merchant environments. Merchants must complete the one that matches most closely to the way they accept payment cards.

Learn more about SAQs here.

Achieving PCI DSS More Simply and Cost Effectively

To achieve PCI DSS compliance, organizations must first determine what merchant level they fall into. Once they understand their merchant level, they can then take concrete actions to validate their compliance with the twelve requirements.

If your organization operates a call or contact center and takes payments over the phone, Semafone can help you by significantly reducing the amount of associated controls for PCI DSS compliance. Remove cardholder data from your infrastructure entirely and descope your whole contact center in the process. Learn more today!

A Comprehensive Guide to PCI DSS Merchant Levels
Semafone