Skip to content

PCI compliance: A breakdown of merchant levels

Companies must determine their merchant level to become compliant with the PCI DSS.

Entrepreneurs across the country have brilliant ideas for developing goods and services customers want to purchase. These companies operate brick-and-mortar locations, online or both and have a number of legal responsibilities they must complete. One such obligation is complying with Payment Card Industry Data Security Standards. While these guidelines are not mandatory under any state or federal body, failing to adhere could cost businesses large sums of money in noncompliance penalties.

There are many questions that arise when it comes to the PCI DSS. There's a lot of information organizations must sift through to understand the rules that apply to their enterprise. Let's take a closer look PCI compliance, specifically the difference in merchant levels under the regulations:

Organizations accepting debit, credit or prepaid cards should become PCI compliant.Organizations accepting debit, credit or prepaid cards should become PCI compliant.

What's the definition of a merchant?
The PCI DSS defines a merchant as any entity accepting payment cards – debit, credit or prepaid – bearing the names and symbols of the five members of the Security Standards Council for goods and services. These parties are: MasterCard, American Express, Visa, Discover and JCB.

The PCI DSS applies to any organization – regardless of size and number of transactions processed – that accepts, transmits and stores cardholder data. This encompasses companies that accept payment over the phone and through ecommerce sites as well.

Merchant compliance levels
The PCI SSC recognizes that every organization is different. As a result, the council has designated different compliance levels for merchants depending on the number of Visa transactions processed over a 12-month period.

If a corporation owns more than one merchant, it must aggregate the amount of transactions to determine its merchant level. The chart below will assist businesses in defining the appropriate standard to follow for complete compliance, according to PCI DSS:

Merchant Level
1 Any merchant that processes over 6 million Visa transactions per year as well as the merchants Visa determines should meet Level 1 requirements to minimize risk.
2 Any merchant that processes 1 to 6 million Visa transactions per year.
3 Any merchant that processes 20,000 to 1 million Visa ecommerce transactions per year.
4 Any merchant that processes fewer than 20,000 Visa ecommerce transaction and all other merchants processing up to 1 million Visa transactions per year.

In addition, merchants that have experienced a data breach that resulted in an account data compromise may witness an increase in their merchant validation level. 

Companies have many obligations to ensure they're protecting the data of their customers for the long haul. Complying with the PCI DSS will reduce the possibility of external attacks on stored client information and give businesses actionable steps to protect sensitive materials. In addition, adhering to these guidelines can increase client satisfaction, loyalty and trust.

Many merchants can find these standards not only difficult to understand, but to comply with. To avoid potential penalties, these businesses often partner with a third party that ensures adherence. SFG offers companies the highest level of compliance, guaranteeing organizations follow every rule down to the specifics to protect customer data.

Post a Comment

Your email is kept private. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.