What are the PCI Merchant Levels?

The PCI Merchant Levels and Why They are Important To Your Business

With the sharp increase in credit and debit card usage, and the increase in shopping online or with mobile merchants, consumers today are more and more concerned about companies safeguarding their financial information. Whether you operate a traditional store with a physical retail location, an online store, or both, your business must be in compliance with PCI DSS, or the Payment Card Industry Data Security Standards.

What is PCI Compliance?

The PCI Security Standards Council (the Council) developed the standards for PCI compliance, and this global organization now provides guidelines for “development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard.”

Credit card issuers, including VISA, MasterCard, American Express, Discover Financial Services, and JCB International all agree to incorporate the standards into their payment processing services, and they are also responsible to monitor merchants for compliance and enforce penalties for non-compliance.

PCI Merchant Levels

Most of the major card issuers identify compliance requirements based on a company’s PCI Merchant Level. The measurement classifies businesses according to the volume of traditional and/or e-commerce transactions they have in a 12-month period. Requirements and levels may be different for each card processor, and may also change, so it’s important to check for updates regularly, particularly if your business is close to two levels.

In every case, the global payment brand can determine whether a merchant may be at a higher risk and should have to meet a higher standard for compliance, even if that merchant does not meet the specific transaction volumes of the higher level. This is particularly true for merchants that have experienced account compromises in the past.

PCI Merchant Level 1

VISA and MasterCard: 6 million transactions or more per year
American Express: 2.5 million transactions or more per year
JCB International: 1 million transactions or more per year

PCI Merchant Level 2

VISA and MasterCard: Between 1 million and 6 million transactions per year
American Express: Between 50,000 and 2.5 million transactions per year
JCB International: Fewer than 1 million transactions per year

PCI Merchant Level 3

VISA and MasterCard: Between 20,000 and 1 million e-commerce transactions per year
American Express: Fewer than 50,000 transactions per year
JCB International: Not applicable, this card issuer only designates two levels

PCI Merchant Level 4

VISA and MasterCard: Merchants processing fewer than 20,000 e-commerce transactions per year, and merchants processing fewer than 1 million other transactions per year (not e-commerce transactions)
American Express: Not applicable, this card issuer only designates 3 levels

Discover Card does not currently categorize merchants using the same level system as the other card issuers, instead opting for a “risk-based approach” to validate merchant compliance.

The Compliance Process

To determine whether your customer’s data is safe with your company, there are three steps to follow.

First, assess the state of your IT assets and processes for accepting card payments. Identify areas where cardholder information could be at risk.

Next, remediate by fixing the vulnerabilities identified previously, both on the technology end (fixing technical flaws or potential security breaches) and on the people end of your business (unsafe handling of cardholder information, including storing cardholder data).

Finally, report your compliance to the appropriate card issuer. Find out what your reporting requirements are based on your PCI Merchant Level, and submit the appropriate information to the global payment processor in a timely manner.

If you’re not sure where to start or have additional questions, contact us for a Free PCI Hosting Consultation.