Merchant Levels and Their Impact on PCI DSS Compliance

PCI DSS merchant levels featured

If you work in retail or payment processing, you may already know about PCI DSS. However, you may not know of the details about compliance and transaction processing. For example, did you know that the size of your business and the number of transactions you process actually change how you comply with PCI DSS?

Here, we’ll break down the merchant levels in place to address this difference and how it could impact you as an organization facing PCI DSS requirements.


PCI DSS merchant levels

What Are the PCI DSS Merchant Levels?

PCI DSS is an industry-specific set of regulations put in place by credit card providers (Visa, Mastercard, American Express) to control security and privacy controls for payment processors. While general federal, state and local laws provide a penal framework for acts like theft and fraud, PCI DSS imposes actual technical controls on companies to minimize and mitigate fraud before it happens.

Not all companies are created equal, however, and PCI DSS assumes that there are more significant threats for larger businesses rather than smaller ones.

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update antivirus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

In addition to these requirements, regulations impose additional responsibilities on different merchants based on their size and the volume of transactions they process. These include:

  • Merchant Level 1: Any merchant that processes over 6 million transactions per year.
  • Merchant Level 2: Any merchant that processes between 1 a 6 million transactions per year.
  • Merchant Level 3: Any merchant that processes between 20,000 and 1 million transactions per year.
  • Merchant Level 4: Any company that processes less than 20,000 transactions per year.

Levels 2, 3 and 4 our somewhat similar, in that they are required to complete a Self-Assessment Questionnaire (SAQ). A SAQ essentially amounts to a self-assessment of PCI-approved controls to demonstrate compliance. Level 1, however, requires an annual, external assessment of a certified PCI DSS auditor such as a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) resulting in a Report of Compliance (ROC) demonstrating adherence.

Level 2, alternatively and with approval, can undergo an external assessment towards the completion of a ROC. These organizations must also undergo mandatory audits if they choose to use specific versions of the SAQ that are deemed insufficient for compliance (SAQ A, SAQ A-EP or SAQ D).

Finally, and merchant can voluntarily undergo assessment to complete a ROC rather than complete a SAQ.


Why Is PCI Compliance Important for Merchants?

Compliance may seem like just another hoop to jump through for your organization. PCI compliance, however, is exceedingly important for the safety of your business and your customers. Some of the critical areas that PCI helps serve are:

  1. Customer Privacy: Customers, when paying for services either through a POS or online, expect that their information remain private and secure. If you cannot provide that, then you damage not only your brand reputation but the well-being of paying customers.
  2. Fraud Prevention: Fraud has skyrocketed, both before, but especially during COVID. Proper PCI controls, while not 100% preventative, go a long way towards preventing fraud. Don’t forget that fraud impacts your bottom line as much as the account of a customer.
  3. Chargeback Prevention: Chargebacks are when a customer disputes a charge and receives a refund (and you lose money along with merchant standing). While most chargebacks result from fraud, many consumers have discovered how easy it is to dispute charges falsely to avoid paying for goods. Following that, adhering to PCI DSS controls can help you maintain the security and documentation necessary to stop chargebacks.
  4. Reduce Costs: Fraud and theft cost everyone: you, the card network, you’re acquiring bank, the lending bank and the customer. IF you don’t handle PCI DSS compliance properly, you’re opening you and a whole network of people to unnecessary costs.


Lazarus Alliance Can Help with PCI DSS Auditing

Even if you are a merchant that exists at levels 3 or 4, the truth is that security auditing and maintenance are critical to your organization. Whether you are completing a SAQ or undergoing an audit, it’s crucial that you work with experts that can help you have not just compliant security, but the best security you can have based on your regulations and risk profile.

Lazarus Alliance brings decades of experience, automation and exposure to major compliance frameworks to make auditing simple and easy for you. This way, you can trust that your security works, that you are compliant and that you can focus on the work of building your business and serving customers.


Interested in Learning More About Lazarus Alliance PCI DSS Compliance Audit Services?

Call us at 1-888-896-7580 or fill our this form to learn more on our compliance and risk consulting and auditing services. 

Download our company brochure.

Lazarus Alliance


Click to access the login or register cheese