The PCI merchant levels are described below. Note that network security scanning is a compliance component for each level as follows:
Merchant Level |
Criteria |
Onsite Review |
Network Security Scan |
Compliance Validation Date |
Level 1 |
All merchants, including electronic commerce merchants, processing more than 6,000,000 transactions per year All merchants that experienced an account compromise All merchants that meet the Level 1 transaction criteria as set forth in the PCI framework |
Required annually |
Required quarterly |
MasterCard: Visa: *New Level 1 merchants have up to one year from identification to validate. |
Level 2 |
All merchants processing 1,000,000 to 6,000,000 e-commerce transactions per year All merchants that meet the Level 2 transaction criteria as set forth in the PCI framework |
Not required |
Required quarterly |
MasterCard: Visa: |
Level 3 |
All merchants processing 20,000 to 1,000,000 e-commerce transactions per year All merchants that meet the Level 3 transaction criteria as set forth in the PCI framework |
Not required |
Required quarterly |
MasterCard: Visa: |
Level 4 |
All other merchants |
Not required |
Required quarterly |
Consult Acquirer |
For Level 1 merchants, the annual onsite review may be conducted by either the merchant's internal auditor or a Qualified Security Assessor.
To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an Approved Scanning Vendor.
Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.