What are “Merchant Levels” and does it affect me?

Look at the “Merchant Levels” below and find the one that you fit into. The difference between the levels is going to be, if you were attacked and the total amount of sales you have in a year.

Source: pcisecuritystandards.org

Approved Scanning Vendors (ASV)

Listed below are the Merchants levels, criteria, and related validation requirements for VISA and MasterCard. And though there are technically three (3) other major payment brands (AMEX, Discover, and JCB), compliance with the two (2) noted brands generally covers the others:

Merchant Level: 1
Merchant Criteria: (1). Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year.  (2). Any merchant that has had a data breach or attack that resulted in an account data compromise.  (3). Any merchant identified by any card association as Level 1.
Validation Requirements: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company. (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form

Merchant Level: 2
Merchant Criteria:  1 million – 6 million Visa or MasterCard transactions annually (all channels).
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.

Merchant Level: 3
Merchant Criteria:  Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.

Merchant Level: 4
Merchant Criteria:  Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.