What Are the Merchant Levels

Latest update:
5 Aug

We are often asked, both by those new to PCI DSS and those who have been involved for a while, what is the difference between a merchant and a service provider, what are the ‘levels’ and what do they really mean? Are the levels based on individual transactions, overall value or by card brand?  And the list goes on. In the next two blogs, we will look at the levels, provide some clarity and highlight the differences between the major card brands.

The number of organisations that accept card payments, and the variety of methods they utilise to accept those payments, has grown exponentially in the last few years.  The number and complexity of services and systems to support those organisations has also multiplied at an overwhelming pace.  In line with this, the risks have also increased, which has been demonstrated by the torrent of breach activity that has recently made the news.  It is therefore vital to understand how PCI DSS applies to you, or those organisations you work with, and what requirements apply to you so that you can achieve and maintain compliance.

So, let’s start with merchants.  A merchant is defined as ‘any entity that accepts payment cards bearing the logos of any of the 6 members of PCI SSC (American Express, Discover, JCB, MasterCard, UnionPay, or Visa) as payment for goods and/or services.  This is relatively simple for merchants, as they have a merchant agreement with an acquiring bank.  A merchant identification number (MID) is a unique code given to a business by the payment processors before the merchant begins processing card payments.  The MID is attached to the merchant account and transmitted, along with the cardholder’s information, to facilitate reconciliation.

Having said it is relatively simple, we have just introduced two new terms – acquiring bank and payment processors.  Let’s step back and make sure we understand those.  The terms ‘acquirer’ and ‘payment processor’ are sometimes used interchangeably (and an organisation can be both), but they actually refer to two different functions.

  • An acquirer is the financial institution that processes credit and/or debit card transactions
  • A payment processor is a company that communicates with the issuing banks.

After the customer has used their card, received confirmation from your website, or hung up the phone, both the acquirer and the payment processor each service a unique function.  A payment processor effectively acts as the mediator between you and the financial institutions involved in payment transactions.  Processors authorise transactions and ensure you get paid on time by facilitating the transfer of funds from your customers’ accounts to your own.  Examples of well- known payment processors are Worldpay (that said, Worldpay is an example of an organisation that is both an acquirer and a payment processor) and First Data.  The acquirer is most often the merchant’s or retailer’s bank.  The acquirer is responsible for taking the approved transaction (that was approved by the payment processor) and settling the transaction.

At first glance, the PCI DSS merchant levels are as follows:

  • Level 1 – Over 6 million transactions annually
  • Level 2 – Between 1 and 6 million transactions annually
  • Level 3 – Between 20 000 and 1 million transactions annually
  • Level 4 – Less than 20 000 transactions annually

However, it is important to note that this transaction volume is actually per card brand.  Therefore, if you process 500,000 Visa card numbers and 500,000 Mastercard numbers, you’re likely to be classified as a Level 3 merchant.  It’s also important to note that the card brands have their own slightly different interpretations of merchant levels, but generally, if the merchant is classified Level 1 for a particular card brand, it’s likely this classification will be considered the same for all brands.

So, what do these levels mean?  Well, each level has different validation requirements for proving compliance the PCI DSS.  Equally, each brand may have different requirements based on a number of factors, such as whether your organisation has suffered a breach recently, or if you are new to PCI DSS.

Level Validation Requirements
Level 1
  • Annual Report on Compliance (RoC) by a Qualified Security Assessor (QSA) (or ISA-accredited staff member for Mastercard)
  • Quarterly network scan by an approved scanning vendor (ASV)
  • Attestation of Compliance (AoC) form
Level 2
  • Annual Self-Assessment Questionnaire (SAQ) (Mastercard requires merchant staff to be ISA certified or use a QSA for an onsite assessment)
  • Quarterly network scan by an ASV
  • AoC form
Level 3
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by an ASV
  • AoC form
Level 4
  • These largely depend on the requirements of the merchant’s acquiring bank
  • Typically include an SAQ and quarterly network scan by an ASV

However, a key point to remember; it is important that you don’t just look at the volume of transactions you are doing today.  What are your growth plans?  Do you expect to fall into the next bracket next year?  If yes, focus your compliance programme on the next level up.

Thumbnail of the Blog Illustration
Information Security
How can URM help you to achieve PCI compliance and what is our approach?

In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data – by that we mean where payment card information...

Read more
Thumbnail of the Blog Illustration
Information Security
PCI DSS: Pros and Cons of Outsourcing

In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and...

Read more
Thumbnail of the Blog Illustration
Information Security
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security Assessor (QSA)...

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.