Both Visa and Mastercard have specific merchant category definitions for all businesses that store, process, or transmit card holder data. PCI DSS compliance requirements vary by merchant level.
Please click on the links below for full details on their respective websites:
Level 1
Criteria
- Any merchant having more than six million total combined Mastercard and Maestro transactions annually
- Any merchant meeting the Level 1 criteria of Visa
- Any merchant that Mastercard, in its sole discretion determines should meet the Level 1 merchant requirements to minimize risk to the system
Requirements
- Annual PCI DSS assessment resulting in the completion of a Report on Compliance (ROC)1
Level 2
Criteria
- Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually
- Any merchant meeting the Level 2 criteria of Visa
Requirements
- Annual Self-Assessment Questionnaire (SAQ)2
Level 3
Criteria
- Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually
- Any merchant meeting the Level 3 criteria of Visa
Requirements
- Annual Self-Assessment Questionnaire SAQ)3
Level 4
Criteria
Requirements
- Annual Self-Assessment Questionnaire (SAQ)3
- Level 1: Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region.
- Level 2: 1 to 6 million Visa transactions annually across all channels.
- Level 3: 20,000 to 1 million Visa e-commerce transactions annually.
- Level 4: Merchants processing less than 20,000 Visa ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
1. Level 1 merchants must undergo an annual PCI DSS assessment resulting in the completion of a ROC conducted by a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC-certified Internal Security Assessor (ISA).
2. Level 2 merchants completing SAQ A, SAQ A-EP or SAQ D must additionally engage a PCI SSC-approved QSA or PCI SSC-certified ISA for compliance validation. Level 2 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA or PCI SSC-certified ISA to complete a ROC instead of performing an SAQ.
3. Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA to complete a ROC instead of performing an SAQ.
4. Level 4 merchants are required to comply with the PCI DSS, although validation of compliance to Mastercard is not required, except as required by applicable law or regulation.
.png)