What are the merchant levels for PCI DSS 4.0?

Understanding the different PCI merchant levels is the first step to reducing the challenges they might bring to your organization.

What are merchant levels and why have them?

Set by the PCI Security Standards Council (PCI SSC), the PCI merchant levels bucket organizations according to the risk the business poses to cardholders and the larger financial ecosystem. The higher volume of transactions you process, the bigger target you are for cyber criminals and the more risk you pose to banks, merchants, processors, etc. (and the trust that holds it all together).

By bucketing merchants this way, the PCI SSC hopes to right-size the amount of compliance burden to a merchant's size and risk. This impacts the merchant’s attestation, or the process of demonstrating and documenting compliance.

Quick refresher on PCI DSS:

In essence, Payment Card Industry Data Security Standard (PCI DSS) acts as an industry-wide standard for the protection of payment data across environments and its stakeholders.

If you’re storing, processing, or transmitting credit card data, you must satisfy all PCI requirements. In reality, however, most businesses today use service providers, like Stripe and Basis Theory. These vendors' infrastructure and offerings are already PCI compliant and help keep their customers' systems out of scope. That said, regardless of whether you build or buy your PCI environment, you'll be required to attest to your compliance. That's where levels also matter.

How do PCI merchant levels impact companies?

It’s probably more helpful to think of merchant levels less as a “level of security” you must have (because, again, all merchants must meet PCI's security requirements) and more as the level of effort required to prove compliance and security.

The PCI DSS merchant levels shape your company's PCI DSS program and attestation effort in three primary ways:

How you test for vulnerabilities

While your controls protect your system, the PCI SSC wants to know how well it's working. There are two methods—which one is required depends on your level.

• Quarterly network scan by an Approved Scanning Vendor (ASV)

• Penetration test of your system conducted by an external party

Who assesses your compliance

You'll need to "attest" to your compliance by having your existing system validated. Who can or must assess that depends primarily on your merchant level.

• Self-assessment is an appropriate internal stakeholder familiar with your implementation.

• Qualified Security Assessor (QSA) is an external independent third party brought in to audit and validate.

• Internal Security Assessor (ISA) is more common in large enterprises that conduct assessments and liaise with external assessors.

The method and length of assessment

A PCI DSS assessment is essentially a checklist of questions you must answer and evidence you must provide to your acquirer. The more requirements you're asked to validate, the more work you have in front of you.

• Self-assessment questionnaire (SAQ) is completed by a self-assessor or ISA. There are 9 different SAQs, ranging from 22 questions (SAQ A) to 339 (SAQ D). Make sure you select the right SAQ for you.

• Report on Compliance (ROC) is completed by a QSA. It's a thorough assessment against all PCI DSS requirements.

Go in-depth on the differences between SAQs and ROCs.

While you cannot change your level, PCI SSC does allow you to use services and technologies that can significantly reduce the burden of your requirements and, with over 300 requirements, your goal should be to decrease that number as much as possible.

For example, if you use a service provider like Basis Theory to secure your cardholder information, you can skip the quarterly vulnerability scans, self-assess yourself, and use the shortest assessment method (SAQ A with 22 questions). 

What are the different merchant levels for PCI DSS 4.0 (and which am I)?

There are four merchant levels under PCI DSS 4.0. The level of a merchant is determined by the aggregate number of Visa transactions it processes across all of its “Doing Business As” (DBA) accounts.*

• Level 1: Merchants that process more than 6 million transactions per year
• Level 2: Merchants that process between 1 and 6 million transactions per year
• Level 3: Merchants that process between 20,000 and 1 million transactions per year
• Level 4: Merchants that process fewer than 20,000 transactions per year

*In reality, the transaction thresholds for merchant levels vary slightly from card brand to card brand. The numbers referenced in this blog reflect the industry’s generic attempt to make levels easier to communicate.

To determine your level, you should use historical transactions. If you don’t have volume, you may use projected volume as well.

If you’ve had a security incident or operate in a high-risk industry, you may be placed in a lower level (higher burden) than your volumes might imply.. Ask your acquirer if you're not sure which level you are.

What do I need to know about PCI Level 1?

PCI Level 1 represents the highest burden to an organization. It is the most thorough, expensive, and time-consuming of all levels.

• Number of transactions: Over 6 million transactions each year.
• Vulnerability tests: Both your quarterly network scans and an external penetration test of your systems.
• Assessor: Qualified Security Assessor (QSA)
• Assessment method: Report on Compliance will assess your environment against each of the 339 PCI DSS requirements.

Time and cost to become PCI level 1

PCI level 1 merchant requirements are far more prescriptive than the other levels and, thus, easier to predict. The following estimates reflect the typical time and cost of an in-house cardholder environment; however, certain service providers, like Basis Theory, may be able to reduce these costs by as much as up to 90%.

Time to build: Most estimates put building a PCI-compliant environment in the range of 4-7 months. 

Time to certify: Preparing for an on-site assessment by a QSA can take months, but the time from starting an assessment to getting your ROC is typically around 4-8 weeks. Any findings found in your ROC must be addressed before you close out your attestation for the year. This can increase timelines.

Costs: The costs to become certified as PCI DSS level 1 varies significantly depending on the number of people, places, and things that touch cardholder data.

• Quarterly network scans: $500-$5,000 per year
• Penetration test: $5,000 to $20,000 per year
• Assessment: $20,000 to $75,000 per year

What do I need to know about PCI Level 2?

Level 2 merchants are often challenged by acquirers to fulfill Level 1 requirements. This makes this level notoriously hard to predict. As always, consult a QSA or acquirer if you have questions.

• Number of transactions: between 1 and 6 million
• Vulnerability tests: Quarterly network scans by an Approved Scanning Vendor (unless a service provider is used)
• Assessor: Self-assess, QSA or ISA
• Assessment method: SAQ (your acquirer or payment service provider may require a ROC)

What do I need to know about PCI Level 3?

• Number of transactions: between 20,000 and 1 million transactions
• Vulnerability tests: Quarterly network scans by an Approved Scanning Vendor (unless a service provider is used)
• Assessor: Self-assess
• Assessment method: SAQ

What do I need to know about PCI Level 4?

• Number of transactions: fewer than 20,000 transactions
• Vulnerability tests: Quarterly network scans by an Approved Scanning Vendor (unless a service provider is used)
• Assessor: Self-assess
• Assessment method: SAQ

Other FAQ about PCI DSS merchant levels

Should I use historical or projected volume to identify my merchant level?

You should use historical transaction volume if you have it, but if you don't, you can use projected volume to identify your merchant level.

Where can I find resources about PCI DSS compliance merchant levels?

You can find resources about PCI DSS compliance merchant levels on the PCI Security Standards Council website (https://www.pcisecuritystandards.org/) and on the websites of PCI DSS-approved assessors.

What’s the difference between PCI DSS merchant levels and service provider levels?

A merchant is a company that accepts credit card payments as a form of payment from customers. A service provider is a business entity involved in the storage, processing and transmission of data from cardholders. Due to the nature of these two entities, PCI has developed separate requirements for each. 

What happens if I assess at the wrong level?

If you assess at a lower level than you should, you may not be fully compliant with the PCI DSS requirements, which could result in fines or data breaches. If you assess at a higher level than you should, you may be wasting resources and money on unnecessary compliance measures.

What are some ways to change my PCI DSS merchant level?

Only your acquirer can change your merchant level, but you can significantly reduce the time, money, and impact of your level’s requirements on your organization by reducing the number of people, places, and things that are exposed to cardholder data. Using services, like Basis Theory, you reduce the effort to become and stay PCI compliant by as much as 99%—without losing capabilities or interrupting existing operations.

Can I assess at a higher PCI DSS merchant level, even if I don’t have to?

Yes, you can assess at a higher PCI DSS merchant level if you choose to do so, but it may result in additional compliance requirements and costs that may not be necessary for your business.

If we didn’t answer your question, feel free to contact us on Twitter, join our slack community, or reach out to your friendly neighborhood QSA.

Wrapping up

Interested in descoping your PCI requirements and effort to store cardholder data? Check out our PCI Blueprint that can have you up and running with your own PCI environment in minutes.