Merchants vs. Service Provide, PCI DSSs: What are they and what are the requirements.

We are often asked, both by those new to PCI DSS and those who have been involved for a while, what is the difference between a merchant and a service provider, what are the ‘levels’ and what do they really mean?  Are the levels based on individual transactions, overall value or by card brand?  And the list goes on.  In the next two blogs, we will look at the levels, provide some clarity and highlight the differences between the major card brands.

The number of organisations that accept card payments, and the variety of methods they utilise to accept those payments, has grown exponentially in the last few years.  The number and complexity of services and systems to support those organisations has also multiplied at an overwhelming pace.  In line with this, the risks have also increased, which has been demonstrated by the torrent of breach activity that has recently made the news.  It is therefore vital to understand how PCI DSS applies to you, or those organisations you work with, and what requirements apply to you so that you can achieve and maintain compliance.

So, let’s start with merchants.  A merchant is defined as ‘any entity that accepts payment cards bearing the logos of any of the five founding members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.  This is relatively simple for merchants, as they have a merchant agreement with an acquiring bank.  A merchant identification number (MID) is a unique code given to a business by the payment processors before the merchant begins processing card payments.  The MID is attached to the merchant account and transmitted, along with the cardholder’s information, to facilitate reconciliation.

Having said it is relatively simple, we have just introduced two new terms – acquiring bank and payment processors.  Let’s step back and make sure we understand those.  The terms ‘acquirer’ and ‘payment processor’ are sometimes used interchangeably (and an organisation can be both), but they actually refer to two different functions.

  • An acquirer is the financial institution that processes credit and/or debit card transactions
  • A payment processor is a company that communicates with the issuing banks.

After the customer has used their card, received confirmation from your website, or hung up the phone, both the acquirer and the payment processor each service a unique function.  A payment processor effectively acts as the mediator between you and the financial institutions involved in payment transactions.  Processors authorise transactions and ensure you get paid on time by facilitating the transfer of funds from your customers’ accounts to your own.  Examples of well- known payment processors are Worldpay (that said, Worldpay is an example of an organisation that is both an acquirer and a payment processor) and First Data.  The acquirer is most often the merchant’s or retailer’s bank.  The acquirer is responsible for taking the approved transaction (that was approved by the payment processor) and settling the transaction.

At first glance, the PCI DSS merchant levels are as follows:

  • Level 1 – Over 6 million transactions annually
  • Level 2 – Between 1 and 6 million transactions annually
  • Level 3 – Between 20 000 and 1 million transactions annually
  • Level 4 – Less than 20 000 transactions annually

However, an important factor in this is the transaction volume is actually per card brand, therefore if you process 500,000 Visa card numbers and 500,000 Mastercard numbers, you’re likely to be classified as a Level 3 merchant.  It’s also important to note that the card brands have their own slightly different interpretations of merchant levels, but generally if the merchant is classified Level 1 for a particular card brand, it’s likely this classification will be considered the same for all brands.

 

Level Criteria Validation Requirements
Level 1

 

  • Merchants processing more than 6 million Visa, Mastercard, or Discover transactions annually via any payment channel
  • Merchants processing more than 2.5 million American Express transactions annually
  • Merchants processing more than 1 million JCB transactions annually
  • Merchants that have suffered a data breach or cyberattack that resulted in cardholder data (CHD) being compromised
  • Merchants that have been identified by another card brand as Level 1
  • Annual Report on Compliance (RoC) by a Qualified Security Assessor (QSA) (or ISA accredited staff member for Mastercard)
  • Quarterly network scan by Approved Scanning Vendor (ASV)
  • Attestation of Compliance (AoC) form

 

Level 2
  • Merchants processing between 1 million and 6 million Visa, Mastercard, or Discovery transactions per year via any payment channel
  • Merchants processing between 50 000 to 2.5 million American Express transactions annually
  • Merchants processing less than 1 million JCB transactions annually

 

  • Annual Self-Assessment Questionnaire (SAQ) (Mastercard requires merchant staff to be ISA certified or use a QSA for an onsite assessment)
  • Quarterly network scan by Approved Scanning Vendor (ASV)
  • Attestation of Compliance (AoC) form
  • None for JCB

 

Level 3
  • Merchants processing between 20 000 and 1 million Visa and Mastercard e-commerce transactions annually
  • Merchants that process 20000 to 1 million Discover card-not-present only transactions annually
  • Less than 50 000 American Express transactions annually

 

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance (AoC) form
  • None for JCB

 

Level 4
  • Merchants processing less than 20 000 Visa or Mastercard e-commerce transactions annually
  • All other merchants processing up to 1 million Visa or Mastercard transactions annually
  • American Express does not have a Level 4

 

  • These largely depend on the requirements of the merchant’s acquiring bank
  • Typically include an SAQ and quarterly network scan by an ASV
  • None for JCB

 

In our next blog we will look at service providers and provide a summary of the requirements for a PCI DSS service provider.  However, a key point to remember; it is important that you don’t just look at the volume of transactions you are doing today.  What are your growth plans?  Do you expect to fall into the next bracket next year?  If yes, focus your compliance programme on the next level up.

Identifying the status and levels of PCI DSS compliance. Merchants vs. Service Providers