Do you know your Merchant Level? A Quick Guide to PCI Compliance Merchant Levels

by P. Heaven

on May 4, 2017
Payment card industry data security standards (PCI DSS) are a set of rules and regulations set forth to protect card using customers from data loss. These standards are maintained and promoted by the PCI Security Standards Council. This council is made up of representatives from major crediting agencies like Visa, MasterCard, and American Express. Whether […]

Payment card industry data security standards (PCI DSS) are a set of rules and regulations set forth to protect card using customers from data loss. These standards are maintained and promoted by the PCI Security Standards Council. This council is made up of representatives from major crediting agencies like Visa, MasterCard, and American Express. Whether your company processes 1 or 100,000 credit card transactions a year, you are responsible for making sure your company is PCI compliant and that your customers are protected against a breach of information.

There are four levels of merchants as defined by each individual credit card brand – which can make things complicated for merchants. The most common form of merchant level categorization is by volume of card transactions.  Below is a list of current categorizations by card brand. The most common form of merchant level categorization is by volume of each brand of credit card transactions. If you happen to own a franchise location, there may be additional requirements for you to complete in order to be recognized as compliant through your franchisor.

Becoming compliant is time consuming and complicated. Let NuArx help you by providing your business with a time and cost-effective PCI compliance solution.

877-556-8279 / www.NuArxInc.com

 

American Express
Level Definition Validation Required Requirement
1 2.5 Million or more American Express Transactions per year OR any merchant otherwise deemed Level 1 by American Express Annual Onsite Assessment

Security Assessment

Report

Quarterly Network Scan

Mandatory
2 50,000 to 2.5 Million American Express transactions per year

Annual Onsite Assessment

Security Assessment

Report

Quarterly Network Scan

Mandatory
3 Less than 50,000 American Express transactions per year Annual Onsite Assessment

Security Assessment

Report

Quarterly Network Scan

Strongly Recommended*

 

EMV** 50,000 American Express transactions per year of which 75% of those transactions are made by the card holder with the physical card present at the Point of Sale System which must be compliant with EMV specifications and capable of processing contact and contactless American Express Chip Cards Annual EMV Attestation Mandatory
* Level 3 merchants and Level 3 Service Providers need not submit Validation Documentation, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy.
**EMV is only available for merchants and service providers who have not had a data incident within twelve (12) months prior to date of their Annual EMV Attestation

 

Visa
Level Definition Validation Required Requirement
1 6 Million Visa transaction per year across all channels OR Global merchants identified as Level 1 by any Visa Region Annually file a Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Auditor

Quarterly network Scan by an Approved Scan Vendor (ASV)

Mandatory
2 1 to 6 Million Visa transactions annually across all channels Annual Self-Assessment Questionnaire (SAQ)

Annual Attestation of Compliance (AOC)

Quarterly network scan by an Approved Scan Vendor (ASV)

Mandatory
3 20,000 to 1 Million Visa e-commerce transactions annually Annual Self-Assessment Questionnaire (SAQ)

Annual Attestation of Compliance (AOC)

Quarterly network scan by an Approved Scan Vendor (ASV)

Mandatory

 

4 Less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 Million Visa transactions annually Annual EM Self-Assessment Questionnaire (SAQ)

Annual Attestation of Compliance (AOC)

Quarterly network scan by an Approved Scan Vendor (ASV) Attestation

Mandatory

 

MasterCard
Level Definition Validation Required Requirement
1 Any merchant that has suffered a hack or an attack that resulted in an account data compromise

Any merchant having more than 6 Million total combined MasterCard and Maestro transactions annually

Any merchant meeting the Level 1 criteria of Visa

Any merchant that MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the system

 

Annual Onsite Assessment

Quarterly Network Scan conducted by an Approved Scan Vendor (ASV)

 

Mandatory
2 Any merchant with more than 1 Million but less than or equal to 6 Million total combined MasterCard and Maestro transactions annually

Any merchant meeting the Level 2 criteria of Visa

Annual Self-Assessment

Onsite Assessment at Merchant Discretion

Quarterly Network Scan conducted by an Approved Scan Vendor (ASV)

Mandatory
3 Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to 1 Million total combined MasterCard and Maestro e-commerce transactions annually

Any merchant meeting the Level 3 criteria of Visa

Annual Self-Assessment

Quarterly Network Scan conducted by an Approved Scan Vendor (ASV)

 

Mandatory

 

4 All other merchants Annual Self-Assessment

Quarterly Network Scan conducted by an Approved Scan Vendor (ASV)

Mandatory*
* Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required
Discover
Level Definition Validation Required Requirement
1 All merchants processing more than 6 Million card transactions annually on the Discover network

Any merchant that Discover determines should meet the Level 1 compliance validation and reporting requirements

All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant

Annual Onsite Assessment

Quarterly Network Scan

Attestation of Compliance from Report on Compliance (ROC)

 

Mandatory
2 All merchants processing between 1 Million and 6 Million card transactions annually on the Discover network Annual Self-Assessment using PCI DSS Self-Assessment Questionnaire (SAQ)

Quarterly Network Scan

Attestation of Compliance from Self-Assessment Questionnaire (SAQ)

Mandatory
3 All merchants processing between 20,000 and 1 Million card-not-present-only transactions annually on the Discover network Annual Self-Assessment using PCI DSS Self-Assessment Questionnaire (SAQ)

Quarterly Network Scan

Attestation of Compliance from Self-Assessment Questionnaire (SAQ)

Mandatory

 

4 All other merchants Annual Self-Assessment using PCI DSS Self-Assessment Questionnaire (SAQ)

Quarterly Network Scan

Attestation of Compliance from Self-Assessment Questionnaire (SAQ)

Mandatory*
*If an organization does not have a direct acquiring relationship with Discover, its requirements as a Level 4 merchant may be different. These organizations should consult with their acquirer for the appropriate acquirer-determined Level 4 merchant validation and reporting requirements.

 

Sources
“Data Security Compliance.” Visa USA | PYB – Security Compliance. Visa, n.d. Web. 02 May 2017.
“Data Security for Merchants.” American Express – Merchant Levels. American Express, n.d. Web. 02 May 2017.
“Determining Your Validation and Reporting Requirements.” Discover Global Network. Discover, n.d. Web. 02 May 2017.
“What Merchants Need to Know about Securing Transactions.” Things Merchants Need to Know | Process Payment Data & Secured Transactions | Mastercard. MasterCard, n.d. Web. 02 May 2017.

Pin It on Pinterest

Share This