PCI Merchant Levels 1 – 4 and Compliance Requirements – VISA & MasterCard

There are numerous PCI DSS Merchant Levels and varying compliance requirements for which merchants need to be aware of regarding PCI DSS.  As for the technical definition of a merchant, it is “…any entity that accepts payment cards bearing the logos of any of the five members of the Payment Card Industry Security Standards Council (PCI SSC)…as payment for goods and/or services…”
Source: pcisecuritystandards.org

Listed below are the Merchants levels, criteria, and related validation requirements for VISA and MasterCard. And though there are technically three (3) other major payment brands (AMEX, Discover, and JCB), compliance with the two (2) noted brands generally covers the others:

Merchant Level: 1
Merchant Criteria: (1). Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year.  (2). Any merchant that has had a data breach or attack that resulted in an account data compromise.  (3). Any merchant identified by any card association as Level 1.
Validation Requirements: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company. (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form

Merchant Level: 2
Merchant Criteria:  1 million – 6 million Visa or MasterCard transactions annually (all channels).
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.

Merchant Level: 3
Merchant Criteria:  Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.

Merchant Level: 4
Merchant Criteria:  Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.

Policies and Procedures are Necessary for PCI Merchant Levels 1 – 4 Compliance | Order Today

In summary, with each level of Merchant compliance there are specific reporting requirements, such as either an onsite assessment by an actual PCI-QSA (Level 1), or self-assessing via the Self-Assessment Questionnaires (SAQ) for Levels 2 – 4. For both the onsite assessments and the self-assessment process, documented PCI DSS policies and procedures are needed for compliance, which can be obtained from pcipolicyportal.com.  As the industry leader in developing PCI SAQ policies and procedures, pcipolicyportal.com has developed the following policy and procedural documentation specific to the exact needs for merchants:

•    SAQ A for Merchants
•    SAQ B for Merchants
•    SAQ C for Merchants
•    SAQ C-VT for Merchants
•    SAQ D for Merchants and Service Providers
•    SAQ P2PE-HW for Merchants
•    Onsite Assessments by PCI-QSA

Purchase and immediately download your PCI Policies Packet today for SAQ A, B, C, C-VT, D, P2PE-HW, and Level 1 onsite assessments.

The World’s Leading Provider of PCI Policies and Procedures – Download Today!

Learn more about the PCI certification process for the Self-Assessment Questionnaires (SAQ A – D), and the PCI certification process for Level 1 onsite assessments, along with the importance of PCI compliance policies, procedures, and templates for compliance by visiting pcipolicyportal.com. pcipolicyportal.com also offers policy and procedure writing services, so contact us today to learn more.  Since 2009, we have been the global leader in offering the very best PCI policies and procedures to merchants and service providers.