Merchant Levels and Compliance Validation Requirements Defined
All merchants will fall into one of the four merchant levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of transactions. In cases where a merchant has more than one Merchant ID, the aggregate volume of all transactions stored, processed or transmitted by the merchant is used determine the validation level.
In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance. Acquirers may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.
|Level / Tier||Criteria|
|1||6 million+ annual transactions||
|2||1 million to 6 million annual transactions||
|3||20,000 to 1 million annual transactions||
|4||1 to 20,000 annual transactions||
Information provided by VISA (http://usa.visa.com/merchants/risk_management/cisp_merchants.html)