PCI DSS Compliance Levels

PCI compliance levels are divided into four levels depending on the annual credit or debit card transactions. The PCI compliance level defines what an organization must do to stay compliant and what requirements it must meet.

Four PCI compliance levels classify merchants over 12 months based on the total volume of credit, debit card, and prepaid card transactions.

The critical point to note here is that payment brands define the level of merchants. However, they are the acquiring banks that decide the merchants’ PCI Compliance levels depending on the annual transaction volume. As a result, it should be noted that a merchant may have different PCI compliance levels for other payment brands.

See Also: What is PCI DSS and PCI Compliance?

The volume of merchant transactions usually depends on the total number of merchant transactions. However, the payment transaction policy is different for each payment brand or receiving institution.

In cases where a merchant has more than one line of business or several acquiring bank relations, the merchant should consult directly with the acquiring organizations or payment brands to determine the level of compliance.

See Also: What are PCI Service Provider Compliance Levels

Also, if a merchant experiences a breach that compromises cardholder data, it can be raised to a higher compliance level.

Below is a useful list of links to help you understand the description of their eligibility levels for each credit card brand:

Below is an overview of PCI compliance level criteria and validation requirements for merchants.

PCI DSS Merchant Compliance Levels
PCI DSS Merchant Compliance Levels
PCI DSS Merchant Compliance Requirements
PCI DSS Merchant Compliance Requirements

PCI Level 1 Merchants

PCI Level 1 is valid for merchants that process more than six million credit or debit card transactions annually across all channels (card present, card not available, e-commerce).

  • Over six million Visa, MasterCard or Discover transactions
  • Two and a half million or more American Express transactions
  • Over a million JCB transactions

PCI level 1 merchant will be subject to a PCI DSS audit annually by an authorized PCI QSA auditor. Besides, they must perform a PCI ASV scan every quarter by the Approved Scanning Vendor (ASV) and send those scans to the appropriate authorities.

Any global merchant with at least 6 million transactions in all regions can make all business regions and units PCI compliant.

Merchants accepted as Level 1 must do the following to be PCI compliant:

  • Complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA).
  • Network scans must be performed quarterly by the Approved Scanning Vendor (ASV).
  • Complete the Attestation of Compliance (AOC) Form.

PCI level 1 is the strictest PCI DSS compliance level and is the only level that requires an on-site PCI DSS audit every year. Therefore, becoming PCI compliant often takes longer for level 1 merchants.

Besides, merchants must report the results of their audits to the “acquiring banks” defined by the PCI SSC. It should be noted that acquiring banks are subject to payment brand rules and procedures regarding merchant compliance.

PCI Level 2 Merchants

PCI Level 2 is valid for merchants that process between one and six million credit or debit card transactions annually across all channels (card present, card not available, e-commerce). They must conduct an assessment once a year using a self-assessment questionnaire (SAQ). Also, they may need a quarterly PCI ASV scan.

  • One to six million Visa, MasterCard or Discover transactions
  • 50,000 to two and a half million American Express transactions
  • Less than a million JCB transactions

Merchants considered Level 2 must do the following for PCI compliance:

  • Complete the appropriate annual PCI self-assessment questionnaire (SAQ).
  • Perform a quarterly network scan by the Approved Scanning Vendor (ASV).
  • Complete the Attestation of Compliance (AOC) Form.

PCI Level 2 merchants do not need an on-site PCI DSS audit unless they are subject to a data breach or cyber-attack that compromises credit card or cardholder data. However, the level 2 merchant may request an on-site PCI DSS audit and ROC if the acquiring bank deems it appropriate.

Otherwise, PCI Level 2 merchants can assess their compliance by completing and submitting a Self-Assessment Questionnaire (SAQ). Also, their networks must be scanned quarterly by the Approved Scanning Vendor (ASV).

The completion of the SAQ depends on the SAQ type chosen. There are different numbers of questions and requirements within each SAQ type. For this reason, most organizations try to narrow the scope of their audits or assessments to save time and expense.

PCI Level 3 Merchants

PCI Level 3 applies to merchants that handle between 20,000 and one million annual e-commerce transactions. They must complete the annual evaluation using the appropriate SAQ. It may also require a quarterly PCI ASV scan.

  • 20,000 to one million Visa e-commerce transactions annually
  • 20,000 annually e-commerce transaction by MasterCard and Maestro, but less than or equal to one million total annual e-commerce transactions by MasterCard and Maestro.
  • 20,000 to one million annual transactions without Discover card
  • Less than 50,000 American Express transactions
  • JCB International has no Tier 3 member businesses.

Merchants that are deemed to be PCI Level 3 must do the following to be PCI compliant:

  • Complete the appropriate annual PCI self-assessment questionnaire (SAQ).
  • Perform a quarterly network scan by the Approved Scanning Vendor (ASV).
  • Complete the Attestation of Compliance (AOC) Form.

Note that card provider JCB does not have a PCI Level 3 merchant definition. All merchants that process less than 1 million JCB transactions per year qualify as PCI Level 2 merchants.

While PCI Level 3 merchants generally do not need to have an on-site PCI DSS audit or a ROC, some may choose to improve their image or ensure that their cardholder data environment is completely secure.

PCI Level 4 Merchants

PCI Level 4 applies to merchants that handle less than 20,000 e-commerce transactions per year, or merchants that process up to one million transactions through all channels (card present, card not present, e-commerce).

Alternatively, a merchant that processes less than 20,000 card transactions per year via e-commerce alone can also apply for PCI Level 4 status. JCB International and Amex do not have the PCI Level 4 merchant designation. An annual self-assessment form should be completed using the appropriate SAQ for PCI Level 4. Besides, a quarterly PCI ASV external network security scan may be required.

Merchants that are deemed to be PCI Level 4 must do the following to be PCI compliant:

  • Complete the appropriate annual PCI self-assessment questionnaire (SAQ).
  • Perform a quarterly external network security scan by the Approved Scanning Vendor (ASV).
  • Complete the Attestation of Compliance (AOC) Form.

Discover, American Express, or JCB has no Level 4 merchant designations.

How to Determine an Organization’s PCI Merchant Level?

Merchants can evaluate their PCI compliance levels by communicating with their service providers or using their reporting tools. Compliance requirements for PCI Level 1-3 merchants are even more complicated due to their companies’ size and complexity.

They are also more likely to have internal information technology and compliance departments to run and monitor compliance programs.

See Also: PCI Compliance Reports: What Do SAQ, AoC, and RoC Mean?

Many merchants that define themselves as small or medium-sized businesses fall below category level 4. While compliance requirements are somewhat more straightforward, these merchants often find it more challenging to meet the needs when they do not have internal information technology and compliance departments.

All merchants need to remember that the only authority that can assess the level of compliance is the institution that performs transactions with the bank or card brand.

Although it is quite confusing to determine your current compatibility level if you are working with multiple card companies, you can make it easier to assess your PCI compliance level through the scenarios below.

There are merchant-level levels for Visa, MasterCard, JCB, American Express, and Discover each. At this point, merchants usually ask whose level is valid and which level they will use. The answer is that you only use the card brands’ levels with which you have a reseller agreement.

For the sake of clarity, all card brands recognize and apply the following rule, which has been in effect since the inception of PCI DSS.

For all card brands, a merchant or service provider is always considered to be the highest possible.

For example, let’s assume that a business has 4 million Visa transactions, 3 million MasterCard transactions, and 3 million American Express transactions. This merchant will be defined as a PCI Level 1 merchant since it has reached 2.5 million Level 1 transactions with American Express.

Visa, MasterCard, and Discover have their table of merchant levels. If you compare these level tables, you will see that Visa, MasterCard, and Discover use the same criteria to determine merchant levels.

Therefore, if the only credit card you accept as a merchant is Visa, MasterCard, or Discover, you only need to apply for the Visa tables because the member level criteria are the same.

But you don’t have to worry about merchants that accept American Express or JCB in addition to other card brands. Card brands to make things easier for such situations, if you are at a specific merchant level for another card brand, you will also have this merchant level for each card brand.

Determining Your PCI Merchant Level

PCI Security Council and five-card brands (Visa, MasterCard, American Express, Discover, and JCB) have explained what is expected of merchants. Merchant is defined as the organization that stores, processes, and transmits credit card information and has a vendor identity.

Each merchant is classified as a “level” according to the number of transactions processed in a year and summarized as follows:

  • PCI Level 1 > 6 million transactions
  • PCI Level 2 1 million – 6 million transactions
  • PCI Level 3 20,000 – 1 million transactions
  • PCI Level 4 < 20,000 transactions

Determining the level of merchant often raises questions. In such cases, credit card brands recommend merchants to contact the acquiring banks. Afterward, merchants complete the following steps with the help of the receiving bank:

  • Determine the merchant level using the transaction volume of the last 52 weeks.
  • Confirm the required PCI validation requirements.
  • Contact an approved supplier and follow validation procedures, as appropriate.

Once a merchant has been verified to be compliant, the merchant must submit verification requirements to the acquiring bank. Then the acquiring bank notifies the payment brands of the eligibility status of the merchant.

PCI compliance is undoubtedly a complicated process, but for a good reason. Customer payment data is under constant threat from attackers, and any business that wants to use them should do their best to protect this data.

If the process is too challenging to handle on your own, you may want to consider getting PCI compliance consultancy to guide you. However, since you are ultimately responsible for your business, it is vital to be aware of PCI compliance standards.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

What are PCI DSS Backup Requirements

PCI DSS compliant backup is the standard compliance required for all businesses that accept card payments. Security controls applied to cardholder data reduce payment card fraud.

What Are the PCI DSS Encryption Requirements

To understand PCI DSS encryption requirements, we must first familiarize ourselves with the source of industry best practices for encryption key management.

What is Inventory and Asset Management for PCI Compliance?

Like many other standards, PCI DSS requires keeping an inventory of all assets. Maintaining an asset inventory of all covered PCI assets is mandatory for PCI DSS requirement 2.4.

22 COMMENTS

  1. I really like what you guys tend to be up too. This type of clever work and reporting!
    Keep up the fantastic works guys I’ve incorporated you guys to my own blogroll.

  2. I think this is one of the most important info for me.
    And i’m glad reading your article. But wanna remark on some general things, The website style is
    great, the articles is really excellent : D.
    Good job, cheers

  3. The pci compliance levels are basically 4, but when you go into detail, it becomes difficult to get out. anyway thanks for the details

  4. Excellent publish, very informative. You must proceed your writing. I’m sure, you have a huge readers’ base already!

  5. Thanks , I’ve just been searching for info about this topic for a long time and yours is the best I’ve came upon till now.

  6. You completed some fine points there. I did a search on the subject and found nearly all persons will go along with with your blog.

  7. Hello.This post was extremely interesting, especially because I was browsing for thoughts on this subject last Sunday.

Comments are closed.

Related posts

Latest posts

What are PCI DSS Backup Requirements

PCI DSS compliant backup is the standard compliance required for all businesses that accept card payments. Security controls applied to cardholder data reduce payment card fraud.

What Are the PCI DSS Encryption Requirements

To understand PCI DSS encryption requirements, we must first familiarize ourselves with the source of industry best practices for encryption key management.

What is Inventory and Asset Management for PCI Compliance?

Like many other standards, PCI DSS requires keeping an inventory of all assets. Maintaining an asset inventory of all covered PCI assets is mandatory for PCI DSS requirement 2.4.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!