If you take card payments for goods or services via any of the 5 members of the PCI SSC (Payment Card Industry Security Standards Council), you will be required to meet one of four levels of compliance as part of your PCI DSS assessment.

Known as “merchant levels”, your compliance requirements will vary depending on several factors, including the number of transactions you process annually and your history of processing transactions.

In this guide, we’ll be explaining what merchant levels are and which merchant levels apply to different types of business. But first, it’s time for a quick refresher…

What is the PCI SSC?

The PCI SSC is a regulatory body formed by and comprised of the world’s five biggest card payment providers; Visa, American Express, Discover Financial Services, JCB and MasterCard.

Working together in an independent capacity, these payment vendors collaborate in an effort to continually improve the PCI DSS (Payment Card Industry Data Security Standards), with the goal of protecting customer card data and reducing the potential for fraud and/or data breaches.

What are Merchant Levels?

Merchant levels are one of the tools the PCI SSC uses to improve safety and security when it comes to payments and customer data. Although compliance with the rules laid out by these merchant levels is not a legal requirement, any company (including contact centres) which accepts card payments from the big 5 will need to comply or risk potential financial penalties.

There are four different categories that your organisation may fall into, defined primarily by the number of transactions you process, but also by the security risks you might be facing. These criteria allow the PCI SSC to determine the possible risks your customers might face when transacting with you, and thus, informs which level of security they need to enforce in order to improve their safety.

Which Merchant Level Does Your Contact Centre Fall Into?

The following guidelines will help you decide which merchant level applies to you and which steps you need to take to ensure PCI DSS compliance:

Merchant level 1

Merchant criteria:

  • You process 6,000,000+ transactions annually
  • You have been the victim of a data breach which compromised account data
  • You have been identified by any card association as merchant level 1

Validation requirements:

  • Undergo an annual on-site security assessment by a PCI SSC-accredited Qualified Security Assessor (QSA)
  • Conduct annual penetration testing via an Approved Scan Vendor (ASV)
  • Complete an attestation of compliance form

Merchant level 2

Merchant criteria:

  • You process between 1,000,000-6,000,000 transactions annually

Validation requirements:

Merchant level 3

Merchant criteria:

  • You process between 20,000 and 1,000,000 ecommerce transactions annually

Validation requirements:

Merchant level 4

Merchant criteria:

  • You process fewer than 20,000 ecommerce transactions annually
  • You process fewer than 1,000,000 non-ecommerce transactions annually

Validation requirements:

Do you have questions about your merchant level or PCI DSS compliance in general? Would you like to learn more about smart PCI solutions that allow you to descope your payment environment? We’re here to help. Contact our payment security experts today for advice, support and further information.

This guide is the third chapter of our eBook ‘Starting Your PCI Compliance Journey’ – enter your details below to download it.