Payment Card Industry Data Security Standard (PCI DSS) compliance and cybersecurity program Merchant Compliance Levels Definition

Both Visa and Mastercard have specific merchant category definitions for all businesses that store, process, or transmit card holder data. PCI DSS compliance requirements vary by merchant level.

Please click on the links below for full details on their respective websites:

Mastercard

Level 1

Criteria

• Any merchant having more than six million total combined Mastercard and Maestro transactions annually
• Any merchant meeting the Level 1 criteria of Visa
• Any merchant that Mastercard, in its sole discretion determines should meet the Level 1 merchant requirements to minimize risk to the system

Requirements

• Annual PCI DSS assessment resulting in the completion of a Report on Compliance (ROC)¹

Level 2

Criteria

• Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually
• Any merchant meeting the Level 2 criteria of Visa

Requirements

• Annual Self-Assessment Questionnaire (SAQ)²

Level 3

Criteria

• Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually
• Any merchant meeting the Level 3 criteria of Visa

Requirements

• Annual Self-Assessment Questionnaire (SAQ)³

Level 4

Criteria

• All other merchants⁴

Requirements

• Annual Self-Assessment Questionnaire (SAQ)³

‍Visa

• Level 1: Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region.
• Level 2: 1 to 6 million Visa transactions annually across all channels.
• Level 3: 20,000 to 1 million Visa e-commerce transactions annually.
• Level 4: Merchants processing less than 20,000 Visa ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.