Merchant level tiers are based on their total transaction volume over a 12-month period. Identifying which level fits your business determines the requirements to validate for PCI DSS compliance.
PCI DSS Compliance Levels
Level 4 Merchant
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
- Self-Assessment Questionnaire (SAQ)
- Attestation of Compliance (AOC)
- Proof of Quarterly network scan by an Approved Scan Vendor (ASV)
Level 3 Merchant
20,000 to 1 million e-commerce Visa transactions annually.
- Self-Assessment Questionnaire (SAQ)
- Attestation of Compliance (AOC)
- Proof of Quarterly network scan by an Approved Scan Vendor (ASV)
Level 2 Merchant
1 to 6 million Visa transactions annually across all channels.
- Self-Assessment Questionnaire (SAQ)
- Attestation of Compliance (AOC)
- Proof of Quarterly network scan by an Approved Scan Vendor (ASV)
Level 1 Merchant
Merchants processing over 6 million Visa transactions annually or Global merchants identified as level 1 by any Visa region.
- File a Report on Compliance ("ROC") by a Qualified Security Assessor ("QSA")” or Internal
- Auditor if signed by an officer of the company. We recommend the internal auditor obtain the
- PCI SSC Internal Security Assessor ("ISA") certification.
- Submit an Attestation of Compliance ("AOC") Form
- Proof of a quarterly network scan by an Approved Scan Vendor ("ASV")
If you are unsure which level your business belongs to, please contact support@zumrails.com for assistance.