All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

PCI-DSS Merchant Levels

All merchants who process their customers’ cardholder data during a transaction need to ensure they are PCI-DSS compliant to protect both the business and the consumer from any potential data breaches. By putting your business through a PCI-DSS audit, you can catch any security threats before they come to fruition and monitor your existing system to ensure data is being processed and protected correctly.

Read More

PCI-DSS Merchant Levels

It’s important to know during this process that there are four different PCI-DSS merchant levels, based on size and scale, that your business will fall into. The requirements and security controls are different for each level, so it’s important to know what applies to your business to remain compliant.

What are the PCI-DSS compliance levels for merchants?

Depending on the number of card transactions your business processes a year, you will fall into one of the following four categories:

  • Level 1 covers merchants that process over 6 million card transactions a year.
  • Level 2 covers merchants that process 1 million to 6 million transactions a year.
  • Level 3 covers merchants that process 20,000 to 1 million transactions a year.
  • Level 4 covers merchants that process fewer than 20,000 transactions a year.

If you’re not sure which level you fall under, it’s worth checking with either your card processing service providers or by using reporting tools. You will also need to check that the levels for the credit card companies you use match up with the industry level requirements.

What are the PCI-DSS merchant levels used for?

A business’ PCI-DSS merchant levels determine the level of security validation required for a merchant to maintain PCI-DSS compliance. The merchant level also determines how many assessments (including risk assessments and penetration testing) the business will need to do a year to keep threats at bay.

PCI-DSS merchant Levels 1-3 need to report their PCI-DSS compliance status directly to the banks they use. However, Level 4 merchants need to consult directly with their banks as they may be required to validate their compliance.

Additionally, Level 1 merchants need to submit a Level 1 On-site Assessment, which is an annual report on compliance completed by a Qualified Security Assessor (QSE), or an internal audit signed by one of the company’s officers. Level 1 merchants are also subject to a quarterly network scan by an Approved Scanning Vendor (ASV), and an Attestation of Compliance form.

Level 2 and Level 3 merchants are required to submit a self-assessment questionnaire annually. They will also need to have a quarterly external vulnerability scan by an ASV.

The requirements for Level 4 merchants completely depend on their acquiring bank.

Compliance as you work with Hicomply

The complex nature of PCI-DSS compliance requirements can seem overwhelming at times – especially when determining your PCI-DSS merchant levels. At Hicomply, we’ve aimed to streamline the process by creating a custom ISMS dashboard for businesses who want to keep all their security framework in one place.

To find out more about how Hicomply can help your business make the PCI-DSS compliance a breeze, request a demo with our team today.