Merchant Levels and Compliance Validation Requirements Defined

All merchants will fall into one of the four merchant levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of transactions. In cases where a merchant has more than one Merchant ID, the aggregate volume of all transactions stored, processed or transmitted by the merchant is used determine the validation level.

In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance. Acquirers may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

Level / Tier Criteria
1 6 million+ annual transactions
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor if signed by officer of the company
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form
  • 2 1 million to 6 million annual transactions
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
  • 3 20,000 to 1 million annual transactions
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
  • 4 1 to 20,000 annual transactions
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank
  • Information provided by VISA (