PCI DSS: Merchant Levels Explained
All organizations that process, store, or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). How organizations attest that compliance to the acquiring banks can differ, but there are two standard methods for attesting compliance:
Self-Assessment Questionnaire (SAQ):
An organization completes the assigned SAQ(s) internally to attest to current compliance status and provides that assessment documentation to the bank. There are no requirements for outside parties to verify or check the assessment.
Report on Compliance (RoC):
A RoC requires a Qualified Security Assessor (QSA) to audit an organization, and assess and validate every requirement to ensure the organization is meeting those requirements as set forth in the PCI DSS. Completing the RoC requires onsite inspections and is much more time-consuming (and expensive) as the QSA must document all evidence for each control (through screenshots, interview notes, policies, network configurations, etc.)
The compliance documentation your organization will need to complete depends on your merchant level but can be changed if given explicit approval by your acquirer. Merchant levels are based on the volume or number of card transactions for each card brand over a 12 month period. As the number of transactions increase, it makes sense that the risk for a data breach is also increasing, therefore, the fact that the PCI DSS requires additional steps to maintain and verify PCI compliance also makes sense.
To determine your merchant and risk level, you will want to want to look at the total number of payment card transactions per year across all card brands. You will need to distinguish between your retail (in-person) and e-commerce (online) transactions. The reason for this separation is that online transactions are typically more vulnerable to fraud and data breaches.
Each major card brand has their own criteria for assigning merchant levels. Level 1-3 merchants have more complex compliance requirements because of the size and nature of their business. Note that if a merchant suffers a breach that results in payment card data being compromised, they may be escalated to a higher merchant level and be required to attest their compliance at this new level for the following year (or more).
Summarizing the tables above reveals that, if you are a Level 1 Merchant, you can expect to complete a RoC. If you are Level 2, your bank may require you to complete a RoC, or they may give you the option to submit an SAQ if you have an ISA within your organization or enlist a QSA to lead the review. Level 3 and 4 merchants have the option to self-assess.
The card brands and banks may also require you to submit quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV) or any internet-facing systems that are part of your cardholder data environment.
As you also saw above, there are other methods of attesting compliance like American Express’s STEP Attestation. To qualify for the Security Technology Enhancement Program (STEP) you must attest that your organization:
Is currently compliant with the PCI DSS,
Has not experienced a data incident in the previous 12 months, and
Is processing at least 75% of your American Express card transactions through:
EMV-compliant terminals, OR
Using a PCI listed Point to Point Encryption (P2PE) solution
Using a P2PE solution that is reviewed and approved by a QSA1
Visa has a similar program, called the Technology Innovation Program (TIP), which allows merchants that primarily take payments in-person to invest in secure technologies to prevent fraud. If an organization does not store sensitive authentication data2 and 75% of the organization’s transactions occur through EMV chip-enabled terminals, validated P2PE solutions, or integrated industry-standard tokenization solutions meeting EMVCo Tokenization Specification, they can qualify for TIP.
Knowing which merchant level your organization falls under is key to understanding how to successfully attest your compliance annually and avoid non-compliance fees or fines. If you have questions on your current compliance requirements, please reach out to your dedicated Customer Advocate Team.
Some additional guidance from the CampusGuard Security Advisor Team:
[Burt]: Be sure to check with your acquiring bank annually to monitor card transaction volumes. This may not be a main concern for entities that do not have a large number of Merchant ID’s or do not perform significant card transactions annually. However, as you can see from the above article, the requirements change when moving up the merchant level scale. For example, when dealing with MasterCard, jumping from a Level 3 to a Level 2 can require additional reviews by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). In addition, Visa Level 1 merchants are required to complete a Report on Compliance, which can only be performed by a QSA. Obtaining outside assistance from a QSA or needing to have an internal resource on staff that maintains the ISA certification can present unexpected costs to an organization. Call CampusGuard now.
1 As per the American Express website, “In some cases, a Merchant may have installed an effective Point-to-Point Encryption (P2PE) Solution that has not yet been approved by PCI SSC. In this case, a Qualified Security Assessor (QSA) who has been trained by Payment Card Industry Security Standards Council (PCI SSC) may validate and approve that the P2PE solution installed in the Merchant’s systems meets the intent of the PCI SSC Point to Point Encryption requirements.”
2 Though the PCI DSS stipulates that sensitive authentication data must never be stored, this type of data is specifically called out as a term of qualifying for Visa TIP.