PCI Merchant Levels
Acquirers are responsible for determining the compliance validation requirement levels of their merchants. All merchants will fall into one of the five merchant levels based on annual Visa transaction volume of that merchant. The transaction volume of a merchant is calculated based on the processing environment aggregate number of Visa transactions processed by a merchant under a common business name or from a Doing Business As (DBA) or a chain of stores but not of a corporation that has several chains. Merchant levels are defined as:
|1||Any merchant-regardless of acceptance channel, processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a successful unauthorized intrusion that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant identified by any other payment card brand as Level 1.|
|2||Any merchant processing between 1 million and 6 million Visa transactions per year.|
|3||Any merchant processing between 20,000 and 1 million Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year or fewer than 1 million Visa transactions per year.|
In addition to adhering to the twelve security requirements and sub-requirements of the Payment Card Industry (PCI) Data Security Standards compliance on-site validation is required for Level 1 merchants, while Level 2, Level 3 and Level 4 merchants complete the SAQ.
|Level||Validation Action||Validated By|
|1||Annual Self-Assessment Questionnaire, Annual On-site PCI Data Security Assessment and Quarterly Network Scan||Qualified Independent Security Assessor|
|2 and 3||Annual Self-Assessment Questionnaire and Quarterly Network Scan||Qualified Independent Security Assessor|
|4**||Annual Self-Assessment Questionnaire and Quarterly Network Scan||Qualified Independent Security Assessor|
**For Canada, all Level 2, Level 3, Level 4 SAQs must be verified by a QSA.
Links to data security documents: