How do Merchant Levels Determine PCI Compliance?
Learn more about merchant levels and how they affect PCI requirements.
Did you know that merchants have different PCI requirements depending on their level? Did you know there are different levels of merchants? The number and type of requirements will vary based on the number of transactions processed annually, which determines your merchant level.Here’s a quick look at the different merchant levels and what they mean for PCI requirements.
What’s a merchant?
For the sake of clarity, we’ll start off by defining a merchant. In terms of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Basically, if your business takes these types of cards as payment, you’re defined as a merchant.Keep in mind that a merchant that accepts cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants.
SEE ALSO: What are Service Provider Levels and How Do They Affect PCI Compliance?
Merchants have 4 levels, depending on how many transactions they do annually. Here’s what the PCI DSS requires from each level. (Note that the number of transactions are based off of Visa’s parameters.)
SEE ALSO: 5 Simple Ways to Get PCI Compliant
Level 1 Merchant
Merchants that process more than 6,000,000 transactions annually. These are the enterprise organizations that deal with a high volume of card data and processing.SEE ALSO: 5 PCI Compliance Tips for Enterprise Organizations
Key PCI Requirements:
- Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scanning Vendor (ASV)
- Penetration Test
- Internal Scan
- Attestation of Compliance Form
Level 2 Merchant
Merchants that process about 1,000,000 to 6,000,000 transactions annually. These are businesses that still process a lot of card data, but not as much as Level 1 merchants.Key PCI Requirements:
- Annual Self-Assessment Questionnaire (SAQ) if organization has a certified Internal Security Assessor (ISA) on staff
- Onsite Assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA)
- Quarterly network scan by ASV
- Attestation of Compliance Form
- Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan)
Level 3 and Level 4 Merchants
Level 3 merchants are e-commerce merchants that process 20,000 to 1,000,000 transactions annually. Level 4 merchants include small e-commerce businesses and those that process less than 20,000 transactions annually. These are your smaller businesses that may only have a few POS machines, or don’t handle a lot of card data.Key PCI Requirements:
- Annual SAQ
- Quarterly network scan by ASV
- Attestation of Compliance Form
- Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan)
Tips to get PCI compliant
If you’re a merchant, make sure you know what level you are since each level may have some different requirements from PCI. As you can see, Level 3 and 4 merchants have fewer requirements than level 1 and 2 merchants.Here a few tips to help you get PCI compliant:
- Talk with a PCI professional: PCI compliance can get a little complex. Talk to a Qualified Security Assessor (QSA) to see what elements of the PCI DSS your business needs to focus on.
- Understand your PCI scope: track where your card moves in and out of your network. This will help you determine which areas of your business environment need to be secured.
- Document everything: Having proper documentation with your policies and procedures will help you give proof of PCI compliance and help you stay organized in security.