Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Hicomply I
Hicomply app

PCI-DSS Merchant Levels

All merchants who process their customers’ cardholder data during a transaction need to ensure they are PCI-DSS compliant to protect both the business and the consumer from any potential data breaches. By putting your business through a PCI-DSS audit, you can catch any security threats before they come to fruition and monitor your existing system to ensure data is being processed and protected correctly.

It’s important to know during this process that there are four different PCI-DSS merchant levels, based on size and scale, that your business will fall into. The requirements and security controls are different for each level, so it’s important to know what applies to your business to remain compliant.

What are the PCI-DSS compliance levels for merchants?

Depending on the number of card transactions your business processes a year, you will fall into one of the following four categories:

  • Level 1 covers merchants that process over 6 million card transactions a year.
  • Level 2 covers merchants that process 1 million to 6 million transactions a year.
  • Level 3 covers merchants that process 20,000 to 1 million transactions a year.
  • Level 4 covers merchants that process fewer than 20,000 transactions a year.

If you’re not sure which level you fall under, it’s worth checking with either your card processing service providers or by using reporting tools. You will also need to check that the levels for the credit card companies you use match up with the industry level requirements.

What are the PCI-DSS merchant levels used for?

A business’ PCI-DSS merchant levels determine the level of security validation required for a merchant to maintain PCI-DSS compliance. The merchant level also determines how many assessments (including risk assessments and penetration testing) the business will need to do a year to keep threats at bay.

PCI-DSS merchant Levels 1-3 need to report their PCI-DSS compliance status directly to the banks they use. However, Level 4 merchants need to consult directly with their banks as they may be required to validate their compliance.

Additionally, Level 1 merchants need to submit a Level 1 On-site Assessment, which is an annual report on compliance completed by a Qualified Security Assessor (QSE), or an internal audit signed by one of the company’s officers. Level 1 merchants are also subject to a quarterly network scan by an Approved Scanning Vendor (ASV), and an Attestation of Compliance form.

Level 2 and Level 3 merchants are required to submit a self-assessment questionnaire annually. They will also need to have a quarterly external vulnerability scan by an ASV.

The requirements for Level 4 merchants completely depend on their acquiring bank.

Compliance as you work with Hicomply

The complex nature of PCI-DSS compliance requirements can seem overwhelming at times – especially when determining your PCI-DSS merchant levels. At Hicomply, we’ve aimed to streamline the process by creating a custom ISMS dashboard for businesses who want to keep all their security framework in one place.

To find out more about how Hicomply can help your business make the PCI-DSS compliance a breeze, request a demo with our team today.