All merchants need to be compliant with PCI DSS v.3.2.1 but each payment brand has its own program for compliance, validation levels and enforcement.
Merchant levels are:
- defined by the payment brands
- determined by the acquirers
- based on transaction volume and type (i.e. eCommerce or card-not-present, face-to-face or card-present).
Your merchant level determines how you report/validate compliance. Depending on the acquirer's discretion, if they believe you are a high-risk merchant or if you've suffered a data compromise, they can enforce you to meet requirements for Level 1 merchants even if your transaction volumes are low.
Merchant Levels for Visa, MasterCard and Amex
| Level | Visa, Mastercard | Amex |
|---|---|---|
| 1 | Any merchant processing over 6 million transactions per year | Any merchant processing over 2.5 million transactions per year |
| 2 | Any merchant processing 1 million to 6 million transactions per year, regardless of acceptance channel | Any merchant processing 50,000 to 2.5 million transactions per year |
| 3 | Any merchant processing 20,000 to 1 million eCommerce transactions per year | Any merchant processing less than 50,000 transactions per year |
| 4 | Any merchant processing less than 20,000 eCommerce transactions per year, and all other merchants processing up to 1 million Visa/MasterCard transactions per year |
PCI DSS Validation Requirements for Merchant Levels
| Level | Visa, MasterCard | Amex |
|---|---|---|
| 1 |
|
|
| 2 |
|
|
| 3 |
|
|
| 4 |
|