What Do PCI Merchant Levels Mean for Your Small Business?

PCI (Payment Card Industry) compliance is a set of security standards designed to ensure that businesses securely handle, process, and store credit card information to prevent data breaches and protect cardholder data. PCI compliance requirements vary depending on the volume of transactions processed by a business, which is determined by its merchant level. The PCI merchant levels help categorize businesses based on their transaction volume and determine the specific compliance requirements they must meet. Here’s what PCI merchant levels mean for your small business:

PCI Merchant Levels:

  1. Merchant Level 1:
    • Applies to businesses that process over 6 million Visa or Mastercard transactions annually, regardless of the channel (e-commerce, mail, telephone).
    • Any business that has suffered a data breach involving cardholder data is also classified as a Level 1 merchant, regardless of transaction volume.
    • Level 1 merchants are subject to the most stringent PCI compliance requirements, including an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).
  2. Merchant Level 2:
    • Applies to businesses that process between 1 million and 6 million Visa or Mastercard transactions annually, regardless of the channel.
    • Level 2 merchants are required to complete an annual Self-Assessment Questionnaire (SAQ) and conduct quarterly network scans by an ASV.
  3. Merchant Level 3:
    • Applies to businesses that process between 20,000 and 1 million Visa or Mastercard e-commerce transactions annually.
    • Level 3 merchants are required to complete an annual SAQ and conduct quarterly network scans by an ASV.
  4. Merchant Level 4:
    • Applies to businesses that process fewer than 20,000 Visa or Mastercard e-commerce transactions annually and all other merchants that process up to 1 million Visa or Mastercard transactions annually.
    • Level 4 merchants are required to complete an annual SAQ and may be required to conduct quarterly network scans by an ASV, depending on their acquiring bank’s requirements.

Impact on Small Businesses:

Overall, understanding PCI merchant levels and complying with the associated requirements is essential for small businesses that process credit card transactions. By adhering to PCI compliance standards, small businesses can protect cardholder data, minimize security risks, and build trust with customers.

Dual Pricing: The Future of Payment Processing

The four merchant level categories for PCI

  1. Merchant Level 1:
    • Applies to businesses that process over 6 million Visa or Mastercard transactions annually, regardless of the channel (e-commerce, mail, telephone).
    • Any business that has suffered a data breach involving cardholder data is also classified as a Level 1 merchant, regardless of transaction volume.
    • Level 1 merchants are subject to the most stringent PCI compliance requirements, including an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).
  2. Merchant Level 2:
    • Applies to businesses that process between 1 million and 6 million Visa or Mastercard transactions annually, regardless of the channel.
    • Level 2 merchants are required to complete an annual Self-Assessment Questionnaire (SAQ) and conduct quarterly network scans by an ASV.
  3. Merchant Level 3:
    • Applies to businesses that process between 20,000 and 1 million Visa or Mastercard e-commerce transactions annually.
    • Level 3 merchants are required to complete an annual SAQ and conduct quarterly network scans by an ASV.
  4. Merchant Level 4:
    • Applies to businesses that process fewer than 20,000 Visa or Mastercard e-commerce transactions annually and all other merchants that process up to 1 million Visa or Mastercard transactions annually.
    • Level 4 merchants are required to complete an annual SAQ and may be required to conduct quarterly network scans by an ASV, depending on their acquiring bank’s requirements.

These four merchant level categories are used to determine the specific PCI compliance requirements that businesses must meet based on their transaction volume and other factors. Each level has its own set of compliance obligations aimed at protecting cardholder data and preventing data breaches.

At KRS AGENCY, our mission is to help businesses become the best they can be. To learn more about our comprehensive services, contact us today.