Answer : Merchant Levels are based on the number of transactions (not dollar amount) processed in one calendar year. Transaction counts are per card brand, not a total among all card brands. With that said, it should be noted that each Credit Card brand has their own Merchant Level qualifications.
It is important to note that all merchants who fall under Level 2, 3, or 4 are eligible to complete the Self-Assessment Questionnaire (SAQ) to determine their compliance status.
Level 2 merchants are allowed to have an onsite assessment performed by a QSA or to complete an SAQ. However, Level 2 merchants choosing the SAQ option need to ensure that the individual completing the self-assessment questionnaire has been trained and is qualified as a PCI SSC ISA (Internal Security Assessor).
General Guidelines
(For greater detail, see merchant levels for each card brand following this general guidelines section)
| MERCHANT LEVEL | DESCRIPTION | SAQ Permitted or On-site Audit Required by QSA? | Quarterly PCI Scanning Required? (Depending on SAQ Type) |
|---|---|---|---|
| 1 | Any merchant-regardless of acceptance channel-processing more than 6,000,000 transactions per year. Any merchant that recently suffered a security breach, resulting in account compromise. | QSA | Required |
| 2 | Any merchant processing between 1,000,000 to 6,000,000 transactions per year. | QSA or SAQ | Required |
| 3 | Any merchant processing 20,000 to 1,000,000 transactions per year. | SAQ | Required |
| 4 | All other merchants not in Levels 1, 2, or 3 regardless of acceptance channel. | SAQ | Required |
1 Stop PCI Scan is qualified to perform quarterly network scanning for all merchant levels across all payment brands.
VISA PCI Merchant Levels Defined
| MERCHANT LEVEL | DESCRIPTION | VALIDATION REQUIREMENTS |
|---|---|---|
| 1 | Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. | Annual onsite security assessment report and quarterly network scan |
| 2 | Any merchant, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa transactions per year. | SAQ and quarterly network scan |
| 3 | Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. | SAQ and quarterly network scan |
| 4 | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. | SAQ and quarterly network scan |
American Express PCI Merchant Levels Defined
| MERCHANT LEVEL | DESCRIPTION | VALIDATION REQUIREMENTS |
|---|---|---|
| 1 | Merchants processing over 2.5 million American Express Card transactions annually; or any merchant that has had a data incident; or any merchant that American Express otherwise deems a Level 1 | Annual onsite security assessment report and quarterly network scan |
| 2 | Merchants processing 50,000 to 2.5 million American Express transactions annually; or any merchant that American Express otherwise deems Level 2 | SAQ and Quarterly Network Scan |
| 3 | Merchants processing less than 50,000 American Express transactions annually | SAQ and Quarterly Network Scan |
| 4 | N/A | N/A |
Mastercard PCI Merchant Levels Defined
| MERCHANT LEVEL | DESCRIPTION | VALIDATION REQUIREMENTS |
|---|---|---|
| 1 | Merchants processing over 6 million Mastercard transactions annually; or any merchant identified by Visa as Level 1; or any merchant that has suffered an Account Data Compromise event; or any merchant that Mastercard, in its sole discretion, determines to be a Level 1 merchant | Annual onsite security assessment report and quarterly network scan |
| 2 | Merchants processing 1 million to 6 million Mastercard transactions annually; or any merchant meeting Visa Level 2 requirements | SAQ and quarterly network scan |
| 3 | Merchants processing 20,000 to 1 million MasterCard e-commerce transactions annually; or any merchant meeting Visa Level 3 requirements | SAQ and quarterly network scan |
| 4 | All other merchants | SAQ and quarterly network scan |
Discover PCI Merchant Levels Defined
| MERCHANT LEVEL | DESCRIPTION | VALIDATION REQUIREMENTS |
|---|---|---|
| 1 | All merchants processing more than 6 million card transactions annually on the Discover network. Any merchant that Discover, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements. All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant | Annual onsite security assessment report and quarterly network scan |
| 2 | All merchants processing between 1 million and 6 million card transactions annually on the Discover network | SAQ and quarterly network scan |
| 3 | All other merchants. | SAQ and quarterly network scan |
| 4 | N/A | N/A |
For information about the JCB card brand and the JCB Data Security Program, please refer to compliance validation procedures at the following page: https://www.global.jcb/en/products/security/data-security-program/index.html.