PCI Merchant Levels
Acquirers are responsible for determining the compliance validation requirement levels of their merchants. All merchants will fall into one of the five merchant levels based on annual Visa transaction volume of that merchant. The transaction volume of a merchant is calculated based on the processing environment aggregate number of Visa transactions processed by a merchant under a common business name or from a Doing Business As (DBA) or a chain of stores but not of a corporation that has several chains. Merchant levels are defined as:
| Merchant Level | Description |
| 1 | Any merchant-regardless of acceptance channel, processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a successful unauthorized intrusion that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant identified by any other payment card brand as Level 1. |
| 2 | Any merchant processing between 150,000 to 6,000,000 Visa e-commerce transactions per year. |
| 3 | Any merchant processing between 20,000 to 150,000 Visa e-commerce transactions per year. |
| 4A | Any merchant processing between 1,000,000 and 6,000,000 Visa transactions per year. |
| 4B | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing fewer than 1,000,000 Visa transactions per year. |
In addition to adhering to the twelve security requirements and sub-requirements of the Payment Card Industry (PCI) Data Security Standards compliance validation is required for Level 1, Level 2, Level 3 and Level 4A merchants, and strongly recommended for Level 4B merchants.
| Level | Validation Action | Validated By | Enrolled By* | Validate By |
| 1 | Annual Self-Assessment Questionnaire, Annual On-site PCI Data Security Assessment and Quarterly Network Scan | Qualified Independent Security Assessor | 9/30/05 | 12/31/05 |
| 2 and 3 | Annual Self-Assessment Questionnaire and Quarterly Network Scan | Qualified Independent Security Assessor | 9/30/05 | 12/31/05 |
| 4A | Annual Self-Assessment Questionnaire and Quarterly Network Scan | Qualified Independent Security Assessor | 9/30/05 | 12/31/05 |
| 4B** | Annual Self-Assessment Questionnaire and Quarterly Network Scan | Qualified Independent Security Assessor | TBD | TBD |
Links to data security documents:
