Companies that process credit card payments must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Two essential questions for all organizations seeking PCI compliance are what is merchant PCI compliance? and what does it require? Below, we answer these and other questions about PCI merchant level requirements applicable to your business.
PCI Merchant Level Requirements for all Organizations
The DSS is overseen and enforced by the Security Standards Council (SSC) of the PCI. Who defines merchant levels for PCI? The SSC Founding Members (Visa, Mastercard, American Express, JCB, and Discover) each define the specific requirements across four levels:
- PCI Merchant Level 1, comprising the largest companies with the most transactions
- PCI Merchant Level 2, comprising medium to large companies with many transactions
- PCI Merchant Level 3, comprising medium-sized companies with moderate transactions
- PCI Merchant Level 4, comprising the smallest companies with the fewest transactions
All Founding Members define the levels and their requirements slightly differently, but this blog will focus on Visa’s definitions, with some attention paid to how Mastercard’s differ.
PCI DSS Compliance Requirements for Merchants at Level 1
All merchants to whom PCI compliance applies need to implement the DSS framework in its entirety. That includes the 12 core Requirements, along with all sub-requirements and niche controls housed within. Where compliance efforts differ between levels is how companies must assess and report on their compliance, whether internally or externally.
The Visa PCI DSS compliance guide defines all merchants that process over six million annual transactions, across all channels, as Merchant Level 1. Mastercards’ PCI DSS breakdown adds a factor that any organization suffering an incident leading to the compromise of account data will also qualify as Level 1, irrespective of the company’s size or annual transaction volume.
Note, however, that any merchant may be identified explicitly by Visa or Mastercard as Level 1 absent these criteria.
For both Visa and Mastercard, entities at the highest level must submit a Report on Compliance (ROC), overseen by a PCI SSC Qualified Security Assessor (QSA). An ROC requires a long-term, on-site audit to verify compliance. RSI Security is a full-service QSA.
PCI DSS Compliance Requirements for Merchants at Level 2
Merchant Level 2 comprises organizations with less overall transaction volume than those at Level 1. Both Visa and Mastercard have the same threshold for Level 2: organizations handling over one million but fewer than six million total transactions annually, across all commerce channels.
To verify compliance at Merchant Level 2, merchants must submit two forms of documentation:
- A Self Assessment Questionnaire (SAQ), which is filled out by the merchant internally
- An Attestation of Compliance (AOC), in which a QSA verifies the contents of the SAQ
Organizations at Merchant Level 2 may be on the verge of achieving Level 1 status. If they logged just under six million transactions in the previous fiscal year, they should consider consulting with their QSA about upgrading from SAQ to ROC auditing and reporting.
PCI DSS Compliance Requirements for Merchants at Level 3
Organizations that qualify for PCI Merchant Level 3 process between 20,000 and one million transactions annually. For Visa, this threshold pertains to e-commerce transactions exclusively. Mastercard adds the wrinkle, however, that Merchant Level 3 applies to merchants with over 20,000 e-commerce transactions but fewer than one million transactions across all channels.
Note that Mastercard’s Level 3 also includes any company that qualifies as Visa Level 3.
For both companies, the specific documentation required at Merchant Level 3 is identical to what is required at Merchant Level 2. The only real difference is that, since Level 3’s thresholds are significantly lower than Level 1’s, there is less of an onus to prepare for a ROC at Level 1.
PCI DSS Compliance Requirements for Merchants at Level 4
Finally, PCI Merchant Level 4 applies to those organizations with the fewest annual transactions. For Visa, this includes merchants that process fewer than 20,000 e-commerce transactions or up to one million total transactions annually. Mastercard’s thresholds are identical.
Merchants at this lowest level must submit an annual SAQ but do not need any additional verification from a third party (i.e., no AOC or ROC). However, these organizations generally still need to work with an Approved Scanning Vendor (ASV) for certain sub-requirements within DSS Requirement 11.
RSI is one of the few service providers who is both a QSA and an ASV—we’re a full-service PCI advisory partner. We will facilitate achieving and maintaining compliance at any Merchant Level.
Secure PCI DSS Compliance at Any PCI Merchant Level
Just as organizations seeking compliance may wonder who defines merchant levels for PCI?, their individual and business clients are justified in wondering how do I know if a merchant is PCI compliant?
This is one reason maintaining compliance is critical. Another reason is that implementing the cyberdefense architecture required for PCI compliance strengthens your overall security posture, minimizing incident likelihood and impact (if they happen).
To comply with all PCI merchant level requirements applicable to you, contact us today!