All merchants need to be compliant with PCI DSS v.3.2.1 but each payment brand has its own program for compliance, validation levels and enforcement.
Merchant levels are:
- defined by the payment brands
- determined by the acquirers
- based on transaction volume and type (i.e. eCommerce or card-not-present, face-to-face or card-present).
Your merchant level determines how you report/validate compliance. Depending on the acquirer's discretion, if they believe you are a high-risk merchant or if you've suffered a data compromise, they can enforce you to meet requirements for Level 1 merchants even if your transaction volumes are low.
Merchant Levels for Visa, MasterCard and Amex
|1||Any merchant processing over 6 million transactions per year||Any merchant processing over 2.5 million transactions per year|
|2||Any merchant processing 1 million to 6 million transactions per year, regardless of acceptance channel||Any merchant processing 50,000 to 2.5 million transactions per year|
|3||Any merchant processing 20,000 to 1 million eCommerce transactions per year||Any merchant processing less than 50,000 transactions per year|
|4||Any merchant processing less than 20,000 eCommerce transactions per year, and all other merchants processing up to 1 million Visa/MasterCard transactions per year|
PCI DSS Validation Requirements for Merchant Levels