What Are PCI DSS Merchant Levels and Why Do They Matter?

PCI DSS stands for Payment Card Industry Data Security Standards and refers to a set of security standards that merchants need to comply with if they want to accept card payments. While they aren’t legally enforced, the PCI Security Standards Council does impose fines for non-compliance. 

Any merchant that accepts card payments must comply with PCI standards and perform an annual audit to assess PCI DSS compliance, even if they use a third party payment processor to actually handle the card processing. However, your exact obligations will vary depending on which of the four possible PCI DSS merchant levels your business falls into. Since it can be a little confusing, here’s a quick overview of the process so you can figure out what you need to do to avoid getting hit with non-compliance fines. 

How Do You Know Which PCI DSS Merchant Level Applies to Your Business?

Merchants are categorized into PCI compliance levels based on the amount of card transactions they process each year. For Visa, MasterCard, and Discover, the breakdown is as follows:

• Level 1: Merchants processing more than six million transactions per year.
• Level 2: Merchants processing between one and six million transactions per year.
• Level 3: Merchants processing between 20,000 and one million transactions per year.
• Level 4: Merchants processing fewer than 20,000 transactions per year

If you accept payments from other cards like American Express or JCB, the criteria are slightly different so you might be at PCI DSS merchant level 2 for MasterCard but level 1 for American Express. Be sure to check the compliance level criteria for every card you accept. 

Another caveat to remember is that even your transaction volume places you in a lower level, you may be upgraded to a higher compliance level if you experience data breach that compromises card data.

How Do the Requirements Differ Across PCI DSS Merchant Levels?

The level your business falls under will determine what specific steps you’re required to take in order to maintain PCI compliance, with merchants processing more transactions being held to stricter compliance requirements. Here’s a quick overview of what to expect with each PCI DSS merchant level.

PCI DSS Level 1

The highest and most stringent compliance level, PCI DSS level 1 requires the following each year:

• An external security audit performed by a Qualified Security Assessor (QSA). This external audit is a thorough on-site review of a company’s security practices. 
• An annual penetration test. This is a kind of simulated hack that’s done to test how effective a company’s security measures are at keeping hackers out and identify any points of weakness that need to be addressed.
• An annual internal scan. This takes the penetration test a step further by identifying exactly what data would be exposed if those weaknesses were successfully exploited by a hacker. 
• Quarterly network scans performed by an Approved Scanning Vendor (ASV). A kind of mini-audit, network scans evaluate security practices but not as thoroughly as the annual audit.
• A Report on Compliance (ROC) submitted to the merchant’s receiving bank. The ROC is completed by the QSA after the on-site audit and basically summarizes the results of that audit. 
• An Attestation of Compliance (AOC) submitted to the merchant’s receiving bank. Also completed by the QSA, this form essentially certifies that the merchant’s security practices meet PCI DSS standards.  

PCI DSS Level 2

At level 2, merchants still need to meet most of the same reporting and testing requirements as level 1 but with a few differences. Here are the annual requirements for PCI DSS merchant level 2:

• An internal security audit completed using a self-assessment questionnaire (SAQ). Unlike Level 1, Level 2 merchants don’t need to have a QSA perform an external audit. They can do the audit themselves. 
• Annual penetration test
• Annual internal scan
• Quarterly network scans by an ASV
• An ROC, completed by the merchant rather than a QSA, but still submitted to the receiving bank.
• An AOC submitted to the receiving bank. This is still done by a QSA who will simply review the results of the self-assessment and then certify that the merchant meets PCI DSS standards.

PCI DSS Level 3

By level 3, the requirements start to loosen a lot more. Merchants at this level don’t need to do penetration testing or internal scanning and they don’t need to submit an ROC to their receiving bank. However, they still have to meet the following requirements:

• An internal security audit completed using a self-assessment questionnaire (SAQ).
• Quarterly network scans by an ASV
• An AOC submitted to the receiving bank.

PCI DSS Level 4

The lowest compliance level, merchants categorized as PCI DSS level 4 only need to meet the PCI requirements of their bank. That means they typically won’t need to worry about doing external audits, submitting ROCS, or getting AOCs. While requirements will vary from bank to bank, level 4 merchants will most likely just need to fill out the annual SAQ and keep up with the quarterly network scans by an ASV. 

Despite having lighter compliance requirements, some merchants in levels 2-4 voluntarily complete the additional auditing and reporting requirements needed for higher level merchants. Going above and beyond is a way to establish trust with customers, service providers, and banks. So it’s especially recommended to voluntarily adhere to stricter compliance if you might be classified as a high-risk merchant. 

Plus, remember that you could end up being upgraded to higher level anyway if your business experiences a data breach or hack. So taking those extra steps now to ensure the best possible security practices can prevent that from happening.

Completing the Self-Assessment Questionnaire

For merchant levels 2-4, a SAQ is used in place of an external audit. Composed of a series of yes/no questions, the SAQ is basically a point-by-point checklist of each of the PCI DSS standards a merchant needs to meet so that they can review their own security practices. 

With that said, there are a few different SAQs depending both on your compliance level and on how you handle payment card information. So it’s important to double-check that you’re filling out the correct SAQ for your business. 

If the answer to any of the questions is no, you will need to write in the action you plant to take to make your system compliant and the date you expect to complete it. 

Even after reading through that explanation, the whole PCI DSS compliance process might still feel a little overwhelming and complicated. A good way to make this annual security audit less stressful is to make sure you’re only working with PCI compliant equipment and services. 

At National Processing, for example, all POS and gateways are PCI compliant and the payment processor performs regular security scans to ensure every merchant account meets PCI standards. Learn more about the security tools and other features that come with a National Processing merchant account here.