What Are the 4 PCI Merchant Compliance Levels?

What Are the 4 PCI Merchant Compliance Levels?

1 Star2 Stars3 Stars4 Stars5 Stars (15 votes, average: 4.40 out of 5)

What you need to know about PCI DSS merchant levels and how they affect your PCI compliance…

Are you here to learn about the PCI compliance levels for merchants? We’ve got you covered with this guide that breaks down the four merchant levels.

Not many people have even heard of the Payment Card Industry Data Security Standards (PCI DSS), but these standards affect everyone with a credit card (or who processes credit card transactions) every day. In 2004, when credit card fraud was running rampant, credit card companies knew they needed some way to mitigate the issue or risk facing a never-ending line of unhappy customers. The problem was that if they tried to force merchants and service providers into meeting their desired security requirements, the merchants would just switch to another credit card company who wasn’t enforcing such high standards.

To combat this, five of the largest credit card companies joined together to create the PCI Security Standards Council and PCI DSS with it. This way, merchants and service providers were forced to play by the council’s rules or face their wrath (in the form of fines from the individual card companies). Yes, I know that last line sounded very Game of Thrones-ish, but I assure you that PCI DSS are for the cardholder’s benefit — they ensure merchants provide top-notch security for the cardholder’s data.

However, with the creation of PCI DSS, it became clear to the PCI Security Standards Council that not all merchants needed to meet the same standards. With this latest iteration of PCI DSS (PCI DSS version 3.2.1) which features hundreds of security controls, it’s just not practical nor necessary for every business to meet every standard, and this is why the PCI DSS merchant compliance levels were created.

In this article, we dive into the PCI DSS merchant compliance levels, what their differences are, and how each level affects companies differently.

More on PCI DSS & Why Merchant Compliance Levels Are Necessary

The point behind PCI DSS is to mitigate vulnerabilities and enforce security standards that helps merchants better protect cardholder data. Unfortunately, data is a very sough after and lucrative target of hackers. Since 2005, there have been more than 11 billion data records breached, according to privacyrights.org. This is why security is needed for the entire card-handling process as there are a number of areas that could be breached.

From processing devices to servers to web applications to transmitting data, every step of the process needs some type of security. PCI DSS extends beyond merchants to ensure that even service providers meet the standards. Service providers are defined as “financial institutions that initiate and maintain the relationships with merchants that accept payment cards.”

To avoid facing noncompliance fines, merchants and service providers must maintain PCI compliance. The PCI DSS compliance levels help merchants know what requirements they are expected to meet. To learn a bit more about PCI DSS, the requirements that merchants are expected to meet, what a self-assessment is and more, we have some related resources you will find valuable:

For more on PCI DSS compliance levels, keep on reading.

What Are the PCI Compliance Levels for Merchants?

An illustration of a green clipboard to outlines the 4 PCI merchant compliance levels with gold check marks

Now it’s time to dive into the PCI DSS compliance levels. These are focused on PCI merchant compliance levels (as opposed to service providers). The one thing that makes compliance levels a tad tricky is that each of the five major credit card brands all have their own criteria for the compliance levels.

We broke each level down by the credit card brand, so you can easily tell which level you are. Also, we start with the least demanding PCI merchant compliance levels and work our way up to the most demanding one.

Credit Card BrandTheir Criteria to Determine Level 1 Merchants
American Express2.5M+ American Express card transactions annually
Discover Financial Services6M+ Discover card transactions annually, or if another credit card brand deemed you a Level 1 Merchant
JCB InternationalMore than 1M JCB card transactions annually
Mastercard6M+ combined Mastercard and Maestro card transactions annually or has suffered a cyber-attack that has resulted in compromised data
Visa6M+ Visa card transactions annually

NOTE: All credit card brands reserve the right to deem a merchant Level 1 at their sole discretion.

Credit Card BrandTheir Criteria to Determine Level 2 Merchants
American Express50,000-2.5M American Express card transactions annually
Discover Financial Services1M-6M Discover card transactions annually via their network
JCB InternationalLess than 1M JCB card transactions annually
Mastercard1M- 6M combined Mastercard and Maestro card transactions annually
Visa1M-6M Visa card transactions annually
Credit Card BrandTheir Criteria to Determine Level 3 Merchants
American Express10,000-50,000 American Express card transactions annually
Discover Financial ServicesAll other merchants who process fewer than 1M Discover card transactions annually
JCB InternationalJCB does not have a Level 3 ranking
Mastercard20,000-1M combined Mastercard and Maestro card transactions annually
Visa20,000-1M Visa ecommerce transactions annually
Credit Card BrandTheir Criteria to Determine Level 4 Merchants
American ExpressLess than 10,000 American Express card transactions annually
Discover Financial ServicesDiscover does not have a Level 4 ranking
JCB InternationalJCB does not have a Level 4 ranking
MastercardFewer than 20,000 combined Mastercard and Maestro card transactions annually
VisaAll merchants processing up to 1M transactions annually or fewer than 20,000 Visa ecommerce transactions

How Do PCI DSS Compliance Levels Relate to Staying PCI Complaint?

PCI merchant compliance levels graphic: A close-up photo of credit cards that showcases their logos

If you handle cardholder data in anyway, you need to be PCI complaint. To prove you are PCI complaint, you must undergo an annual validation to prove that you meet the necessary requirements. The PCI DSS compliance levels help credit card companies know what type of annual validation you must go through to demonstrate that you meet their expected standards.

Bellow, we lay out what you need to know about maintaining PCI compliance through your annual validation based on your PCI DSS compliance level.

Level 4-2 Merchants

If you’re a merchant who falls within the PCI merchant levels 4, 3, or 2, you’re expected to complete the same general annual validation requirements across all three levels and all five credit card companies. There are very slight differences in the expectations, which you can review at the links directed to your acquiring bank in the “What Are the PCI DSS Compliance Levels?” section above. But in general, here is what Level 4-2 Merchants need to do during their annual validations:

Download and Complete a PCI Self-Assessment Questionnaire

This part is simple. All you need to do is download the correct PCI self-assessment questionnaire and answer the questions listed on it. The operative word in the last sentence is “correct” as there are eight PCI-DSS self-assessment questionnaires to choose from and it’s essential that you select the right one. They are sorted by how you accept payment cards.

Complete an Attestation of Compliance

Your attestation of compliance (AOC) will be included with your PCI self-assessment questionnaire when you download it. The AOC is nothing more than confirming you’re validated and gaining signatures from the appropriate parties.

Conduct Vulnerability Scanning

To ensure you are, indeed, secure and meeting the expected security standards, you’ll need to have a vulnerability scan assessment completed by an Approved Scanning Vendor (ASV). An ASV is a data security firm who has been vetted and approved by the PCI Security Standards Council and uses a scanning solution to help verify if your PCI complaint.

You should note that the ASVs reserve the option to use either an approved open source security solution or their own software. The task and responsibility of finding an ASV falls on you as the one seeking compliance.

Level 1 Merchants

If you’re a Level 1 Merchant, your road is a bit more involved. You’ll also need to complete a PCI Annual Vulnerability Scan by an Approved Scanning Vendor and an Attestation of Completion. But rather than needing to do a PCI self-assessment questionnaire, you’ll need to undergo an on-site security assessment by a Qualified Security Assessor (QSA) instead.

The goal of this on-site assessment is to confirm that you meet the appropriate PCI DSS. The QSA will do this by reviewing all of your payment card procedures, systems and use their own “independent judgment” to verify you met your standards.

When you search for a QSA, it’s best if you look for someone who has knowledge of your industry and gives you feel that they would mesh with your company culture. The QSA will not simply come in and give you a stamp saying that you’re  “approved” or “not approved” — it’s their job to be a resource as well and to help your company meet PCI DSS (hence the recommendation of finding the right fit). Furthermore, it’s also recommended that you look for a QSA that is an ASV, too, so you can kill two birds with one stone.

A Final Word on the PCI DSS Compliance Levels

From PCI DSS compliance levels to how the levels affect merchants and their PCI compliance process, we have come to the end of our road. If you handle cardholder data, it’s vital you stay up on this information and know what PCI DSS merchant compliance level you are. Make sure you do whatever you can to stay PCI complaint.

One way to streamline the process of attaining and maintaining PCI compliance is to use a PCI compliance scanner tool. An automated tool such as HackerGuardian will literally scan you entire network, compile issues, make recommendations on how to resolve them and then put together a final report ready for you to submit to your acquiring bank.

About the author

Danny is a writer and editor with a background in journalism, marketing and communications. He is a tech enthusiast and writes about technology, website security and cyber security.