PCI 30 seconds Newsletter N°4 – Merchant levels: What, Who and How

Blog Post created by dgodart on Jun 1, 2011

In today's post Iwill briefly outline the levels associated with PCI, and more specifically themerchant levels.


What is a level?

“Level” is a classification of organizations accepting and processing credit cards. They are defined and used by the payment brands to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete.


There is no consensus in this area between payment brands (this would be too easy ) so there are as many levels defined as there are payment brands.


They are mainly defined based on the number of transaction processed annually on the payment brand networks.


Who determines the level applicable to a merchant?

Since acquirers are responsible for merchants’ compliance they are the ones who determine the level applicable to a merchant.


So if a merchant accepts multiple brands and those brands utilize different acquirers, the merchant could be subjected to multiple levels according to the acquirers.


How do they determine the applicable level?

Acquirers qualify the applicable level mainly based on the number of transactions processed annually, as well as any account compromises experienced by the merchant.


Merchant levels definition per payment brands and transaction volume



Merchant levelsjpg.jpg



Side notes:

  • No Level 4 merchant for American Express
  • No Level 3 and Level 4 merchants for JCB International
  • Payment brands reserve the right to escalate a merchant’s level dependent on risk such as previous compromise where PCI requirements were not in place.



American Express