What are Merchant Levels for PCI compliance?

There are lots of sites which list PCI merchant compliance levels. They mostly make straightforward statements like “PCI requires merchants of transaction volumes over 6 million per year to be level 1”. This is a nice, simple approach. Unfortunately, it’s also wrong in a couple of different ways.

  1. PCI DSS doesn’t have any requirements to categorize merchants by level. The levels are created by the various card brand information security programs, not the PCI Council. These are the same programs that ultimately require merchants to comply with PCI DSS in the first place; and
  2. The rules mapping transaction volumes to level are not quite so simple, as each card brand has their own rules. Even at the same transaction volume, you can be at one level for American Express, another for JCB, and yet another for Visa.

Before diving into the details by card brand, let’s illustrate the latter point with an example. Consider a hypothetical merchant who on an annual basis does 1.2 million JCB transactions, 2.2 million American Express transactions, and 4 million Visa transactions.

By straightforward transaction count, that merchant would be a Level 1 for JCB, and Level 2 for American Express and Visa. To complicate matters, Visa has an additional rule that requires you to be Level 1 for Visa if any other card brand has deemed you a Level 1. So in this case you would ultimately be Level 1 for JCB and Visa, and at risk of American Express determining you’re Level 1 for similar reasons.

So what do the levels mean? Basically, they determine whether you are allowed to assess your PCI compliance using a Self Assessment Questionnaire (SAQ), or whether you must do an on-site assessment and complete a full Report of Compliance (ROC). The levels also govern what your annual PCI reporting requirements are to the card brand(s).

Now that we’ve gone over this at a high level, it’s time to dive into the assessment and reporting requirements by card brand.

Contents

Compliance Levels by Card Brand

For Level 1 merchants, Discover, Mastercard and Visa are all basically aligned on the requirements. This is why most people discussing merchant levels typically use these definitions. Always remember that American Express and JCB are significantly different, and for some merchants that difference may be material to how they manage their PCI assessment.

At the lower merchant levels, the various card brands differ more. Only Mastercard and Visa even have a Level 4 merchant level, and the lowest level recognized by JCB is Level 2.

To some extent, these thresholds are driven by the relative numbers of card holders for each program. There are fewer people with JCB cards than Visa, for example. If JCB was to set its Level 1 merchant threshold to be 6 million, as with Visa, significantly fewer might be categorized that way. Since we assume the category definitions are driven by risk of compromise to the card brand’s business, it’s reasonable that a smaller total number of transactions represents a similar percentage of JCB’s total transaction volume, and thus revenue.

Even if a particular card brand does not require you to be Level 1 at your current volumes, if another brand does consider you Level 1 you may as well be Level 1 for them all. Being Level 1 requires that you have an annual on-site assessment and complete a ROC, although some brands allow you to complete this yourself without bring in a QSA. Having gone to that amount of work, you may as well reuse the same reporting package you’ve generated to report to the other brands.

LevelAmerican ExpressDiscoverJCBMastercardVisa
1Merchants processing over 2.5 million American Express Card transactions annually, or any merchant that American Express deems a Level 1.Merchants processing more than 6 million card transactions annually on the Discover network. Any merchant that Discover deems to be a Level 1. All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant.Merchants processing over 1 million JCB transactions annually, or compromised merchants.Merchants processing over 6 million Mastercard transactions annually, identified by Visa as Level 1, or merchants that have experienced an account data compromise.Merchants processing over 6 million Visa transactions annually, identified by another payment card brand as Level 1, or merchants that have experienced an account data compromise.
2Merchants processing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems Level 2.All merchants processing between 1 million and 6 million card transactions annually on the Discover network.Merchants processing less than 1 million JCB transactions annually.Merchants processing 1 million to 6 million Mastercard transactions annually, or merchants meeting the Level 2 criteria of Visa.Merchants processing 1 million to 6 million Visa transactions annually.
3Merchants processing less than 50,000 American Express transactions annually.All other merchants.N/AMerchants processing 20,000 to 1 million Mastercard e-commerce transactions annually, or merchants meeting the Level 3 criteria of Visa.Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
4N/AN/AN/AAll other Mastercard merchants.Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.

Note that at the lower levels, Mastercard and Visa make distinctions between e-commerce transactions, and all other transactions. This distinction becomes important when you consider which particular SAQ you’re eligible to complete.

Assessment & Reporting Requirements by Card Brand

The table above allows you to map transaction volume per card brand onto your current merchant level. Now that you know what your level is, how is that actionable?

Technically, all merchants accepting any of the brands are required to be compliant with the full PCI DSS standard, as applicable to their business (maybe something in the standard is N/A for a particular merchant). But the level of scrutiny of that compliance varies based on your transaction volume. Again, taking a risk-based approach, it’s reasonable that merchants doing more volume should get more scrutiny.

Rather than handling on a case-by-case basis, the card brands have chosen to drive the assessment and reporting requirements by your merchant level. The following table illustrates what the obligations are per card brand, depending on your current merchant level.

It’s worth noting that these requirements, like other aspects of PCI, are actually slightly less stringant for merchants than for service providers at the same level. Level 1 merchants need an on-site assessment resulting in a ROC, but in most cases are permitted to use internal staff to do this. Whereas for service providers, Level 1 basically requires that an external QSA do the assessment.

This is another example of a risk-based approach: since they typically provide services for multiple merchants, a service provider compromize represents a bigger overall exposure to payment security. We’ll cover service providers in a separate article.

Here are the merchant assessment and reporting requirements.

LevelAmerican ExpressDiscoverJCBMastercardVisa
1Annual on-site Security Assessment conducted by either a QSA, or an internal auditor with results certified by CEO, CFO, CISO, or principal
Conduct quarterly network scans by an ASV and submit the AOSC or executive summary
Annual on-site Security Assessment conducted by either a QSA or an internal auditor holding the ISA qualification
Conduct quarterly network scans by an ASV, submission of scan results not required
Annual on-site Security Assessment conducted by a QSA
Conduct quarterly network scans by an ASV
Annual on-site Security Assessment conducted by either a QSA or an internal auditor holding the ISA qualification
Quarterly network scans conducted by an ASV
File a ROC by QSA or Internal Auditor if signed by officer of the company.

Submit an AOC form
Conduct quarterly scans by an ASV
2Complete an annual SAQ and have it certified by CEO, CFO, CISO, or principal
Conduct quarterly network scans by an ASV and submit the AOSC or executive summary
Annual self-assessment conducted by an internal auditor
Conduct quarterly network scans by an ASV, submission of scan results not required
Annual self-assessment
Conduct quarterly network scans by an ASV
Annual self-assessment conducted by an internal auditor holding the ISA qualification, or on-site assessment conducted by a QSA
Quarterly network scans conducted by an ASV
Complete an SAQ
Submit an AOC form
Conduct a quarterly network scan by an ASV
3Recommended to complete an annual SAQ and have it certified by CEO, CFO, CISO, or principal
Recommended to conduct quarterly network scans by an ASV and submit the AOSC or executive summary
Annual self-assessment conducted by an internal auditor
Conduct quarterly network scans by an ASV, submission of scan results not required
N/AAnnual self-assessment conducted by an internal auditor holding the ISA qualification, or on-site assessment conducted by a QSA
Quarterly network scans conducted by an ASV
Complete an SAQ
Submit an AOC form
Conduct a quarterly network scan by an ASV
4N/AN/AN/APCI DSS compliance is required
Acquirer will determine if compliance validation is required. If required:
- Annual self-assessment conducted by an internal auditor holding the ISA qualification, or on-site assessment conducted by a QSA
- Quarterly network scans conducted by an ASV
Complete an SAQ
Submit an AOC form
Conduct a quarterly network scan by an ASV

Card Brand Sites

Which merchant level you are is a complicated topic, perhaps moreso if you’re not clearly a Level 1 merchant. If you are Level 1, then the most straightfoward path is to contract with a QSAC and have their QSA staff do an on-site assessment. If you are not Level 1, but still have significant transaction volumes, then you need to carefully choose the correct SAQ to complete, per brand. You also need to ensure that you have an appropriate person completing this. Some card brands require internal audit staff be Internal Security Assessor (ISA)-qualified to complete the SAQ at higher level merchants, whereas others do not.

Use the tables above as a starting point for your compliance and reporting obligations. But beyond that you need to become familiar with the information security programs operated and mandated by the card brands you accept.

The following sites are maintained by the various card brands and outline the requirements of their respective information security programs.

Card BrandSite
American Expresshttps://merchant-channel.americanexpress.com/merchant/en_US/data-security
Discoverhttps://www.discoverglobalnetwork.com/en-us/business-resources/fraud-security/pci-rules-regulations/
JCBhttps://www.global.jcb/en/products/security/data-security-program/index.html
Mastercardhttps://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html
Visahttps://usa.visa.com/support/small-business/security-compliance.html