Townsend Security Data Privacy Blog

What Merchant Level am I? Comply with PCI DSS at Every Level

Posted by Liz Townsend on Oct 11, 2012 9:46:00 AM

DOWNLOAD WHITE PAPER

PCI Compliance White Paper

Download the white paper "Meet the Challenges of PCI Compliance" and learn more about ensuring the data you are protecting meets PCI compliance.

Click Here to Download Now

At Townsend Security, many of our customers are in the retail industry (a pretty big number of them, actually), which means that every day we’re working with these businesses to help them assess their data security posture so that they can meet compliance requirements for PCI-DSS. Often times a company will come directly to us for fear they may be about to go through a PCI audit, needing an immediate solution. These companies already know that they’re in trouble, and by the time they find us they’ve had to figure out their current security status and the PCI Compliance Level that they fall under.

[Learn More: PCI DSS 5 Take-Aways to Take Away the Pain!]

However, many merchants who are failing PCI audits are discovering this information about themselves too late. In fact, many businesses go a long time believing that they do NOT need to meet PCI DSS compliance for a variety of reasons. We hear things like: "Our business is too small, We’ll never get audited," or, perhaps worst of all, "Our data is secured using a firewall and passwords" (we actually heard this from a well-known restaurant chain, who two months later, suffered a data breach).

Here’s the truth: ALL merchants handling cardholder data (regardless of size) must comply with PCI DSS. The first questions a merchant needs to ask itself are these: What Merchant Level am I, Am I meeting compliance for my Merchant Level, and Would I pass a PCI audit?

Currently, PCI DSS is a national standard for payment card security, and although there is not a national standard for merchant levels, compliance rules are the same for all credit card companies. Merchant level definitions for all credit card companies are straightforward, and are centered around annual number of transactions. Here are VISA’s definitions, for example:

Level / Tier1 Merchant Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or internal auditor if signed by officer of the company
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by acquirer


1 - Compromised entities may be escalated at regional discretion

2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

[Mastercard’s Merchant Level descriptions can be reviewed here.]

If you’re a level 3 or 4 merchant, you will not have to go through a yearly PCI audit, instead you will fill out a yearly questionnaire regarding your security practices. The ONLY time a level 3 or 4 merchant gets audited is in the event of a data breach, or if they are found to be out of compliance with PCI DSS

However, level 3 and 4 merchants should never use this as an excuse to have weak security. Smaller businesses need to be aware that they are at a higher risk of a data breach simply because data security feels like less of a concern. It is now becoming increasingly more obvious that smaller businesses are being targeted by hackers more often than larger businesses because hackers know that they are in general more vulnerable. In the event of a data breach small and medium sized businesses may never recover from the financial penalties brought on by a data breach.

So how do you protect the cardholder data that you’re storing, processing, and or transferring to be PCI DSS compliant? It’s easy in these 5 steps....

Download our white paper "Meeting the Challenges of PCI Compliance" to learn what an auditor is going to look for, how you can ensure your data is secure, and why auditors are looking specifically at encryption key management.

Click me

Topics: Compliance, PCI DSS