PCI DSS compliance Level 3 applies to mid-sized merchants, generally speaking, that process 20,000 to 1 million credit card transactions per year.
However, as with all PCI compliance levels, the exact number of transactions that qualify a merchant for PCI Level 3 is highly dependent on which credit cards the merchant accepts. Also, for PCI Level 3, the number of e-commerce transactions versus in-store transactions is essential.
What are PCI DSS Levels?
First created by credit card companies Visa, MasterCard, Discover, and American Express in 2004, PCI DSS aims to reduce the risk of debit and credit card fraud and data loss.
The PCI standard outlines how to prevent and detect online fraud and data loss and how businesses should respond in the event of a data breach. In addition, PCI DSS includes protection for cardholders and merchants.
Merchants who fail to comply may face fines and be barred from accepting card payments. Although the PCI SSC sets the PCI Security Standards, each payment or credit card brand has its compliance, verification levels, and enforcement schedule.
PCI DSS (Payment Card Industry Data Security Standard) merchant levels are the annual ranking of credit and debit card transactions, broken down into four levels. The payment card industry (PCI) uses merchant levels to identify fraud risks and determine the appropriate level of security for their businesses.
PCI merchant levels determine the amount of assessment and security validation required to pass PCI DSS assessment. PCI DSS specifies the procedures that must be followed by all merchants who process card payments and store or transmit credit, debit, or prepaid card information to ensure secure transactions.
All merchants must comply with one of the four PCI compliance levels established by the PCI SSC (PCI Security Standards Council) to ensure that any payment or customer data they transmit, process, or store is secure.
How Do I Know If I’m a PCI Level 3 Merchant?
Your organization qualifies as a PCI Level 3 merchant if it meets any of the following criteria:
- Processes 20,000 to 1 million Visa e-commerce transactions per year
- Processes 20,000 Mastercard e-commerce transactions per year, but less than or equal to 1 million total Mastercard transactions per year
- Process 20,000 to 1 million Discover “cardless” (e-commerce) transactions per year
- Processes less than 50,000 American Express transactions per year
Note that card provider JCB does not have Level 3. All sellers who process less than 1 million JCB transactions per year qualify as Level 2 merchants.
How Does Level 3 Merchant Ensure PCI DSS Compliance?
Unlike PCI Level 1 merchants, PCI Level 3 merchants are not required to undergo an annual onsite audit by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). Also, PCI Level 3 merchants do not need the resulting Compliance Report (ROC) to be PCI DSS compliant.
The verification requirements for PCI Level 3 merchants are the same as for PCI Level 2 merchants:
- Annual Self-Assessment Questionnaire (SAQ)
- Approved Scanning Vendor (ASV) performs a quarterly network scan
- Conformity confirmation form
While PCI Level 3 merchants are not required to conduct an onsite audit or obtain a ROC, some may choose to undergo PCI compliance auditing to strengthen their business profile or ensure that the cardholder data environment is completely secure.
For merchants and financial institutions, payment and internet service providers must also verify PCI DSS compliance. However, there is no PCI Level 3 compliance for service providers. Instead, those that process fewer than 300,000 payment card transactions per year qualify as PCI Level 2 service providers.
Why Use PCI Merchant Levels?
The payment card industry uses merchant levels to determine the evaluation and security verification required for a merchant to pass a PCI DSS assessment.
All levels except PCI Level 1 must complete a self-assessment questionnaire (SAQ) and perform an external vulnerability scan quarterly using an Approved Scan Vendor (ASV). In addition, PCI Level 1 merchants must have data security assessments in place.
Merchants classified as PCI Level 1, PCI Level 2, or PCI Level 3 must report their PCI compliance status directly to their receiving bank. Traders classified as PCI Level 4 should consult their acquiring bank to determine if they need to verify their PCI compliance.
For PCI Level 1 merchants, compliance with PCI DSS requires submitting an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), also known as a PCI Level 1 onsite assessment, or by the internal auditor if signed by a company official. Also, the Attestation of Compliance (AOC) Form requires a quarterly network scan by the Approved Scan Vendor (ASV).
Typical compliance requirements for PCI Level 2, PCI Level 3, and PCI Level 4 merchants submit an Annual Self-Assessment Questionnaire (SAQ), a quarterly network scan by an ASV, and a Confirmation of Compliance form. However, PCI Level 4 merchants may not be subject to all these requirements.