PCI DSS Merchant Levels – Complete Guide

If your organization stores, processes, or transmits cardholder data, then you must comply with PCI DSS(Payment Card Industry Data Security Standards). This compliance framework protects cardholder data from unauthorized use.

The compliance requirement for every organization is different and is based on the annual transaction volume of the business. The different set of requirements based on the volume-based classification method is called PCI DSS Levels. 

In this article, we talk about four PCI DSS merchant levels, the need for these, and how you can determine it in your business. We also share insights on the Self Assessment Questionnaire (SAQ).

What are PCI Compliance Levels?

PCI compliance levels are categorization of merchants with respect to the volume of their business ie. the number of transactions processed every year. Broadly the businesses are classified into 4 PCI merchant levels and the requirements get stringent with increased size and complexity of operations. A Level 1 business has the most comprehensive list of things to do to ensure compliance, while the process for a Level 4 company to become PCI DSS compliant is comparatively simpler.

Read on to know PCI DSS compliance levels and the requirements further in the article.

Why do Organizations need to follow PCI DSS Levels of Compliance?

The PCI Levels for merchants outline the requirements an organization is expected to implement to become/remain PCI DSS compliant. Unfortunately, the PCI Council, the regulatory body of PCI DSS, does not have the resources to audit every organization that processes, stores, or transmits card payment data. So, in the event of a breach, the PCI council audits the organization that was breached and verifies if they were complying with all the listed requirements to ensure data integrity and security. If compliance violation is detected,  organizations are charged hefty administrative penalties. In some cases, their access to process card-based transactions is revoked.

PCI DSS compliance Levels help businesses with the classification and lists the security requirements and policies required for their business to become/remain compliant.

What Are The 4 PCI DSS Levels?

PCI DSS divides merchants into four categories based on the number of transactions. Level 1 merchants process over 6 million transactions annually while Level 2 merchants cater to transactions between 1 to 6 million for the same period. Level 3 merchants fall between 20000 to 1 million transactions per year and level 4 merchants process less than 20000 transactions annually.

Let’s understand PCI merchant levels better:

Level 1

If a business processes over six million transactions a year, it is a Level 1 business. This definition is rudimentary as other qualifying factors also come into play to decide if a business is  Level 1. You are a Level 1 business, if either one of the all following or all the below listed criteria are met.

Here’s a comprehensive list to identify if your business is a Level 1 business:

• You process over 6 million VISA, MasterCard, and Discover transactions in a year
• You process over 2.5 million transactions of American Express in a year
• You process over 1 million JCB transactions in a year
• You have been identified as a Level 1 business by any other card provider
• You have been a victim of a cyber security incident in the recent past that led to the loss of customer data

A common misconception is that to be a Level 1 business, they must process transactions actively. Well, that’s not the case. If you are a business that only stores that transaction information, you’ll still have to be Level 1 compliant.

Firewall service providers, cloud storage service providers, and others who passively participate in this fall under this scope.

Level 2

Any business that processes 1 – 6 million transactions annually is tagged as a Level 2 business for simplicity and convenience.

Like Level 1, Level 2 also has other qualifiers. Here’s the list:

• You process  1 to 6 million card-based transactions in a year of VISA, MasterCard, and Discover
• You process over 50,000 to 2.5 million transactions of American Express in a year
• You process less than 1 million JCB transactions in a year

Level 3

In everyday terminology, a Level 3 business processes less than 1 million transactions annually. However, like the other two Levels, there are additional qualifiers for a Level 3 business you should know about.

For example, you are a Level 3 business if:

• You process up to 1 million VISA-based e-commerce  transactions in a year
• You process less than 20,000 MasterCard-based e-commerce transactions a year and less than 1 million total MasterCard transactions in a year.
• You process 20,000 to 1 million Discover based e-commerce transactions in a year 
• You process less than 50,000 American Express transactions annually

Did you know that JCB does not identify Level 3 status? Any organization processing less than 1 million JCB transactions in a year must comply with the PCI DSS Level 2 requirements.

Level 4

Any business that processes under 20,000 e-commerce transactions of VISA or Mastercard in a year or under 1 million total transactions for VISA or MasterCard in a year is classified as a Level 4 business. 

It is important to note that, for a business to maintain a Level 4 status, it should not have been breached or become a victim of data theft in the recent past.

Check out this video for understanding the levels better

Also find out: How to automate PCI compliance

How Can Merchants Determine Their PCI DSS Level?

If you aren’t still sure of the extent of transactions in your business processes, you can conduct an internal audit dating back to the last 52 weeks and examine that data to come up to a conclusion. 

You can also hire an external auditor for this job to ensure that no data is missed and the conclusion of your PCI DSS Level is accurate. 

The last thing you want is to become non-compliant with PCI DSS by implementing incorrect compliance requirements.

Find out: How to become PCI DSS-certified

What is The Self-Assessment Questionnaire?

Filling out a Self Assessment Questionnaire (SAQ) is a mandatory step in the PCI compliance process. However, how a business fills out an SAQ depends on the nature of the transactions they process. For instance, if a business processes e-commerce transactions and does not store, process, or transmit card information in their business environment, they are required to fill out the SAQ- A. Likewise, if SAQ-B is for those merchants who have no electronic storage records of the data they process and use a wired dial-out terminal for their transactions. 

Types of SAQs Depend on The Organization’s Merchant Level

Based on the nature of transactions in your business process, you are required to fill out an SAQ. Here’s an infographic detailing the different types of SAQs to help you identify the one that applies to your business. 

To become PCI DSS compliant, every organization processing card transactions must fill out an SAQ, conduct quarterly scans of their business environments, and produce an Attestation of Compliance (AOC).

A Level 1 business will need to get its assessments done either by an external QSA (Qualified Security Assessor) or by an ISA ( Internal Security Assessor). The auditor assesses the scope of compliance and evaluates if the requirements are met and if the necessary controls and policies are implemented.

After the audit, they produce a Report Of Compliance (ROC), which is then sent to the PCI Council for approval.

For any business that qualifies as Level 2-4, the process is less intensive compared to a Level 1 business. Level 2-4 companies can complete their assessment themselves. That said, Level 2 organizations are still required to produce a ROC.

Also check out: How to get PCI compliance attestation

Find out how Sprinto Can Help You Become PCI DSS Compliant

The PCI DSS compliance process is exhaustive and time-intensive. Hundreds of controls must be implemented based on your business needs and processes. And doing this yourself can result in non-compliance, loss of productivity, and make the process expensive.

 Did we mention there is a chance that you could be non-compliant after all the effort, time, and financial resources you spent to make your business PCI compliant?

Is there an easier way to approach this? Yes, there is—the Sprinto way.

Sprinto is purpose-built to automate all the monotonous and time-taking tasks involved in becoming PCI DSS compliant. Sprinto integrates with your business environment to give you visibility of your complete business environment to identify existing vulnerabilities and predict future occurrences. Sprinto’s automation process ensures that we do the heavy lifting in your compliance process while you focus on what matters to you the most – Business Development.

That’s not all. After you’ve implemented all the PCI DSS requirements, Sprinto helps you continuously monitor your systems to track your compliance posture and ensure that any new critical error is addressed immediately.

Talk to our experts today to understand how Sprinto can make your compliance journey a breeze.

FAQs

How often do I need to validate the PCI DSS compliance based on the compliance level?

Level 1 merchants need to have an official Report of Compliance annually for validating their PCI DSS compliance. All other levels can have annual self-assessment questionnaires along with a vulnerability scan in every 90 days.

What is Level 4 PCI compliance?

Level 4 PCI compliance is the set of rules laid out by PCI DSS that applies to all businesses that process less than 20,000 e-commerce-based MasterCard or VISA transactions a year or less than 1 million VISA transactions in a year.

What is a Level 3 merchant?

A Level 3 merchant processes less than 1 million VISA or MasterCard-based e-commerce transactions in a year or processes 20,000 to 1 million MasterCard transactions a year.

Level 3 merchants also process less than 50,000 American Express transactions in a year or process between 20,000 to 1 million Discover transactions annually.

Who defines merchant Levels for PCI?

The PCI council has laid out the guidance required to help merchants or businesses in identifying the Level they fall into.