Annual Transaction Volume
The level assigned to a merchant is based primarily upon the merchant’s annual transaction volume, taking into account all transactions regardless of acceptance channel. These levels are in accordance with security standards to help an acquirer determine what procedures are to be taken by the merchant to demonstrate “validation” of the merchant’s compliance with the PCI DSS. There are currently four (4) merchant levels.
Merchant Level 1
This is the most stringent level and is assigned to a merchant with Visa or MasterCard transactions exceeding 6 million annually, or any merchant that has experienced a security breach that resulted in an account compromise. A level 1 merchant is required to have an on-site PCI security audit performed annually.
Merchant Level 2
A level 2 merchant is one, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year. Level 2 merchants are required to complete an annual self-assessment questionnaire, and to perform a network vulnerability scan at least quarterly (for external-facing IP addresses) and provide an annual attestation of its compliance to both Visa and MasterCard.
Merchant Level 3
A level 3 merchant is one processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions per year. Level 3 merchants are required to complete an annual self-assessment questionnaire, and to perform a network vulnerability scan at least quarterly (for external-facing IP addresses).
Merchant Level 4
A level 4 merchant is a merchant that has either fewer than 20,000 Visa or MasterCard e-commerce transactions annually, or regardless of acceptance channel, fewer than one million Visa or MasterCard transactions. Completion of the annual Self-Assessment Questionnaire (SAQ) and a quarterly network vulnerability scan (where applicable) are recommended by Visa and MasterCard and also required by the merchant’s acquirer.
