Understanding PCI Compliance

ByChad

Before I begin I want to clarify one important item, only your processor(s), acquiring bank(s), and/or card brand(s) can give you a definitive answer regarding your merchant level. I originally published this article in 2020 but I have updated with the latest level information and included UnionPay.

Compliance with PCI DSS is crucial for any organization that stores, processes, and/or transmits credit card information.  PCI DSS also applies to any service provider that can affect the security of another organization’s cardholder environment (CDE). Maintaining and managing compliance with PCI DSS can require heavy lifting within an organization, but the right partner can help ease the load.

While the number of requirements depends on the payment environment and number of transactions it is important to understand the different levels and how each card brand determines the compliance requirements.

History of the PCI DSS

The PCI-DSS was conceived in 2004 after five of the largest payment card issuers—Visa, MasterCard, American Express, Discover, and JCB formed a consortium called the Payment Card Industry Security Standards Council (PCI SSC) to tackle the ever-growing issue of card fraud. Instead of burdening merchants with five separate security standards, they decided to pool their resources and create a single, comprehensive standard that all five providers would accept. Just recently UnionPay was added.

As the cyber-security landscape has continued to evolve over the years, the PCI-DSS has had to change over time to address new threats and tactics to mitigate fraudsters. Since the initial release of the PCI-DSS 1.0 version in 2004, the standard has undergone several revisions since, with the latest one version 4.0.1, released in 2024. 

The number of controls depends on the number of transactions processed by the merchant per year.

PCI DSS Merchant Levels

There are several merchant levels, each with a slightly different list of requirements, and largely determined by the number of transactions processed each year.

Why define separate levels in the first place?  The payment card industry (PCI) uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass the PCI DSS assessment.

At a very high level, the PCI DSS merchant levels are as follows:

  • Level 1 – Over 6 million transactions annually
  • Level 2 – Between 1 and 6 million transactions annually
  • Level 3 – Between 20,000 and 1 million transactions annually
  • Level 4 – Less than 20,000 transactions annually

While these tiers seem relatively straightforward at first glance, delving deeper, it may be difficult to discern exactly which one your organization falls into because the card issuers each maintain their own table of merchant levels. You’ll find that each one defines their levels a bit differently.

Even though the card issuers define their own levels, it’s important to note that Discover, Visa, and Mastercard all use the same general criteria to define theirs, with a few minor differences. Though JCB and American Express have their own versions, it is generally accepted that if you are a level for one provider, you will be considered the same for all, with a few minute exceptions. 

To view each card issuer’s table of merchant levels, use the links below:

Taking a closer look, the merchant levels are as follows:

Level 1

Criteria:

  • Over six million Visa, MasterCard/Maestro or Discover Network transactions annually
  • Two and a half million or more American Express transactions annually
  • Over one million JCB or UnionPay transactions annually
  • Merchants that have suffered a data breach or cyberattack that resulted in cardholder data being compromised
  • Merchants that have been identified by another card issuer as Level 1
  • Merchants that the card brands determine should meet the Level 1 merchant requirements to minimize risk to the system

Merchants dealing with high transaction volumes from American Express, JCB, or UnionPay may find themselves classified as Level 1 merchants, especially if they have few or no transactions with Visa, MasterCard/Maestro, or Discover Network.

Discover Network Transactions

It’s important to clarify that it’s not solely about Discover card transactions, but rather Discover Network transactions. In the U.S., by accepting Discover or Diners Club cards, merchants may have inadvertently agreed to also accept JCB cards. This is because Discover processes Diners Club and JCB transactions in the U.S. and parts of Europe. Therefore, your merchant agreement with Discover likely includes JCB as well. Moreover, in regions outside of Europe, JCB processes transactions for Discover and Diners Club in certain countries. This emphasizes the need to thoroughly review your merchant agreement with your processor to ensure that JCB cards are not included.

Level Classifications

Keep in mind that if you are designated as a Level 1 merchant by one card brand, this classification applies across all other card brands as well.

Validation Requirements:

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), or Internal Auditor if signed by an officer of the company.  The Internal Auditor must be a PCI-certified Internal Security Assessor (ISA).
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 2

Criteria:

  • One to six million Visa, MasterCard/Maestro, or Discover Network transactions annually
  • More than 50,000 to two and a half million American Express transactions annually
  • Less than one million JCB transactions annually
  • 100,000 to one million UnionPay transactions annually

Review of Merchant Agreements and Classification Implications

It is essential to review your merchant agreement with your processor to confirm whether JCB cards are included. If your agreement does encompass JCB cards, even if you have never processed a transaction with them (noting that zero is less than one million), you could technically be classified as a Level 2 merchant by your processor or acquiring bank.

Reporting Requirements for MasterCard/Maestro Merchants

For merchants accepting MasterCard/Maestro— which applies to most merchants— the requirements for reporting become more complex. According to MasterCard’s website, Level 2 merchants completing either SAQ A, SAQ A-EP, or SAQ D must engage a PCI SSC-approved Qualified Security Assessor (QSA)or a PCI SSC-certified Internal Security Assessor (ISA)for compliance validation. Alternatively, Level 2 merchants may choose to engage a QSA or ISA to complete a Report on Compliance (ROC)instead of performing a Self-Assessment Questionnaire (SAQ).

Level Classification Consistency

It is important to note that if you are classified as a Level 2 merchant by one card brand, this classification will apply across all other card brands. Thus, if you find yourself impacted by the JCB situation described earlier, you will also be classified as a Level 2 merchant with MasterCard and may need to hire a QSA for compliance. Should this occur, you have the option to appeal to your acquiring bank or the respective card brands to request the removal of JCB from your agreement.

Validation Requirements:

  • Annual Self-Assessment Questionnaire (SAQ) completed by an Internal Auditor if signed by an officer of the company or Qualified Security Assessor (QSA).  The Internal Auditor must be a PCI-certified Internal Security Assessor (ISA).
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 3

Criteria:

  • 20,000 to one million Visa e-commerce transactions annually but less than or equal to one million Visa transactions from all payment channels in total annually
  • 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually
  • One million or less Discover Network transactions annually
  • 10,000 to 50,000 American Express transactions annually
  • Not applicable for JCB
  • 10,000 to 99,999 UnionPay e-commerce transactions annually

Validation Requirements:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 4

Criteria:

  • One to six million Visa, MasterCard/Maestro, or Discover Network transactions annually
  • More than 50,000 to two and a half million American Express transactions annually
  • Less than one million JCB transactions annually
  • 100,000 to one million UnionPay transactions annually

Validation Requirements:

  • These largely depend on the requirements of the merchant’s acquiring bank
  • Typically include an SAQ and Quarterly Network Scan by ASV
  • Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA for an onsite assessment instead of performing a self-assessment.

Visa updated their validation measurements as of January 31, 2017, for small merchants, the full document can be found here. But here are the sections I want to point out. All Level 4 merchants must use only Payment Card Industry (PCI) certified Qualified Integrator and Re-seller (QIR) professional for point-of-sale (POS) application and terminal instantiation and integration. Effective January 31st, 2017, acquirers must ensure Level 4 merchants annually validate PCI DSS compliance or participate in the Technology Innovation Program (TIP). Participation in TIP allows qualifying merchants to discontinue the annual PCI-DSS validation assessment.

Note: Single-use terminals without Internet connectivity (dial-up terminals) are considered low-risk and may be excluded from these requirements.

One other thing to note here is if you have been breached you will automatically be classified as a Level 1 merchant for PCI complacency purposes, regardless of transaction volume. Conducting a full ROC, even for a small organization, will likely be extremely daunting and expensive. So, there is an added incentive for your level 2 through 4 merchants to make sure that they truly are PCI compliant.

Fines and Consequences

Monthly Penalties:

    Non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the Credit Card Companies (Visa, MasterCard, Discover, AMEX).  Penalties depend on the volume of clients and transactions; these volumes can help to determine what level of PCI-DSS compliance a company should be on.

    Data Breaches:

      PCI DSS Compliance does not prevent data breaches; companies that meet PCI DSS requirements can suffer attacks and data loss.  If a company is compliant and suffers a data breach, it can still be responsible for paying penalties. However, the card brands may significantly lower or eliminate fines if the company in question has taken all the necessary steps to be PCI DSS compliant. 

      • The average cost of a breach is $150 per record, according to the Penamon Institute’s 2019 “Cost of a Data Breach” report;
      • Costs of card replacement or issuing, between $3 to $10 per card;
      • Increased rates charged by banks and/or processors
      • Termination of Merchant Relationship with the credit card brands;
      • Lawsuit by the clients whose information has been breached;
      • Security costs related to mandatory credit monitoring for customers whose data was compromised, identity theft repair, etc;
      • Costs of the forensic investigation to determine the causes of the data breach.
      • Legal Action:

      Lawsuits against your company can be a common outcome.  In 2007, TJX Companies (best known as the holder of Marshalls and T.J. Maxx) had to pay $40.9 million for a data breach that put an estimated 100 million bank cards at risk.  In 2014, 1.1 million clients of Neiman Marcus were affected by another data breach.

      Damaged Reputation:

      Putting clients’ bank card information at risk can result in irreversible damage to a company’s reputation; this is in addition to any of the elevated costs that would be incurred by the organization.  Once your security has been endangered, it will be very difficult for your clients to start trusting you again.

      Revenue Loss:

      In addition to the loss of brand reputation, a merchant can expect their revenue to drop drastically due to the loss of clients followed by a security breach.  In 2013, a large retail merchant was sentenced to $18.4 million for a data breach that affected more than 41 million customers. This led the merchant to a $ 440 million loss of revenue in the first quarter following the breach.

      Discover more from Chad M. Barr

      Subscribe to get the latest posts sent to your email.

      Similar Posts

      |

      Why Comply with PCI Security Standards?

      ByChad

      Why should you, as a merchant, comply with the PCI Security Standards? At first glance, especially if you are a smaller organization, it may seem like a lot of effort, and confusing to boot. But not only is compliance becoming increasingly important, it may not be the headache you expected. Compliance with data security standards…

      a silver and black metal object
      |

      PCI DSS 4.0.1 Assessment: A Significant Increase in Effort and Complexity

      ByChad

      The Payment Card Industry Data Security Standard (PCI DSS) has long been the cornerstone of ensuring the security of cardholder data. With the release of PCI DSS version 4.0.1, organizations and assessors alike are facing a considerable increase in the level of effort required for compliance assessments. This article explores the changes and their impact…

      Preparing for PCI DSS 4.0.1: Strengthening Cardholder Data Protection in Transmission

      Preparing for PCI DSS 4.0.1: Strengthening Cardholder Data Protection in Transmission

      ByChad

      As the March 31, 2025, deadline for PCI DSS 4.0.1 compliance approaches, businesses handling payment card data must align their security practices with the new requirements. This is part 3 of the Understanding the New PCI DSS v4.x Compliance Requirements series, if you missed the post about requirement 3 you can read it here. Requirement…

      ROC Revolution: Navigating the Impact of PCI DSS 4.0 on Reporting Efficiency and the Price of Customization

      ByChad

      The blog post was written by a friend and former co-worker you may know as the PCI Guru, he discusses a notable change in the Payment Card Industry Data Security Standard (PCI DSS) Report On Compliance (ROC) Reporting Template, specifically in version 4.0. He highlights a shift in the template’s language, emphasizing the need for…

      Slaying the PCI DSS Dragon: A Professional Review of “The Definitive Guide to PCI DSS Version 4”
      | |

      Slaying the PCI DSS Dragon: A Professional Review of “The Definitive Guide to PCI DSS Version 4”

      ByChad

      First of all I tried to be objective as possible, I have worked with both Coop and Jeff at a previous company and they both taught me a lot of what I know about PCI, I was in Coop’s ASV Training class also. For organizations handling sensitive cardholder data, navigating the intricate requirements of PCI…

      Understanding and Meeting PCI DSS Requirement 6.3.1: Vulnerability Identification
      |

      Understanding and Meeting PCI DSS Requirement 6.3.1: Vulnerability Identification

      ByChad

      PCI DSS version 4.0 requirement 6.3.1, focusing on the identification and management of vulnerabilities, along with its predecessors in previous iterations of PCI DSS, has often been misconstrued. This requirement is interlinked with 10 other PCI DSS requirements, influencing how organizations configure systems, develop applications, apply patches, and address the outcomes of vulnerability scans and…