What are PCI DSS Merchant Levels, and Why are they Important in Payment Processing?

PCI DSS Merchant Levels in Payment Processing

Does your business collect, use, store, and process cardholder information? You likely have heard of the PCI DSS standard. 

PCI DSS is a security standard created by credit card companies to add a security layer. So, suppose you plan to build and maintain PCI compliance for your company. In that case, you need to understand the ins and out’s of the framework, including things required by a merchant, PCI compliance, and how these levels impact the compliance requirements.  

PCI DSS Merchant Levels Include:

  • Level1: In this level, merchants who did around 6 million transactions a year across different channels or any merchant who had a data breach came.
  • Level 2: This level holds the merchants between 1-6 million transactions annually across different channels.
  • Level3: This includes 20,000 and 1 million online transactions per annum merchants.

Now that you have a brief about all the levels, let’s get into a deep understanding of these PCI DSS processing levels and what they include:

What Is Level 1 Processing?

Level 1 processing includes businesses-to-consumer credit card transactions

In these transactions, consumers use their credit cards to make purchases. Therefore, the data required to fill in level 1 is also quite simple; you simply need to fill in the merchant name, transaction amount, and required data. 

Criteria For Level1: The requirements for level 1 include merchants processing:

  • More than 6 million Mastercard, Visa, or Discover transactions annually
  • More than 2.5 million American Express Transactions annually
  • More than 1 million JCB transactions annually

Validation Requirements:

  • Annual ROC (Report on Compliance) from a qualified Security Assessor
  • Quarterly network scan by ASV (approved Scan Vendor)
  • Attestation of Compliance form

 What is Level 2 Processing? 

Level 2 processing includes filling in more detailed transaction details to support B2B and simple businesses. Large businesses and government agencies use these business-specific transactions. 

In this level of payment processing, the merchants can control and monitor the corporate and employee spending, thereby improving customer service for the business clients. The data needed for this level of processing includes:

  • Name of the merchant
  • Transaction amount
  • Date of transaction
  • Tax amount
  • Customer code
  • Merchant postal code
  • Tax identification
  • Merchant minority code
  • Merchant state code

Criteria For Level 2:

  • Merchants process between 1 million and 6 million Visa, Mastercard, or Discover transactions every year
  • Merchants processing between 50,000- 2.5 million American Express Transactions annually

Validation Requirements: 

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network by Approved Scan Vendor (ASV)
  • Attested compliance Form

Related Read: 9 Questions to Ask When Considering a New Alternative Payment Processing Method

What Is The Level 3 Of Credit Card Processing?

Level 3 credit card processing is the most detailed card processing where the transactions are made with corporate or government purchasing cards. In this, government agencies and businesses use these cards for enhanced reporting and more control over employees’ purchases. The data fields required for the level3 (apart from the one used in level 2 fields) processing are:

  • Item product code
  • Item description
  • Quantity
  • Item tax rate
  • Ship from postal code
  • Duty amount
  • Freight amount
  • Destination postal code
  • Country code and more


  • Merchants processing between 20,000 and 1 million Visa e-commerce transactions
  • Merchants process between 20,000 Mastercard transactions annually but less than (or =) 1 million total Mastercard transactions annually
  • Merchants Processing 20,000 to 1 million Discover card-not-resent only transactions annually
  • Less than 50,000 American Express Transactions

Validation Requirements:

  • Annual SAQ (self-assessment questionnaire)
  • Quarterly network scan by ASV (Approved Scan Vendor)
  • Attestation of Compliance Form

Why Are These Merchant Levels Used? 

The merchant levels are used to define authenticity and security validation for a merchant to pass the PCI DSS level.

Generally, all levels except level 1 should complete the self-assessment questionnaire and pass a quarterly scan approved by the ASV. In addition, these merchants are required to have onsite data security assessments. Also, for level 1 merchants, along with the PCI DSS compliance, merchants are required to submit the Annual Report on the compliance attested by the Qualified Security Assessor.

Merchants that fall under level 2 or 3 have to report their PCI compliance status directly to the acquiring banks.

What Are The Benefits Of Level 2 And Level 3 Credit Card Processing Transactions? 

B2B credit card processing transactions help businesses build strong relationships with their clients. This also helps in increasing large ticket transactions with government agencies and corporations.

Each level of the credit card transaction possesses different requirements needed for its verification and authorization. These requirements can vary from very limited to detailed ones and determine the type of customers and clients your business serves.

Who The PCI Level Applies To?  

The PCI DSS level is often applied to all acquirers, issuers, merchants, and service providers. Also, depending upon the levels of PCI compliance, your compliance journey can be different. 


Considering that data breaches are still happening in organizations, there’s a need for PCI DSS continuous monitoring. 


Please enter your comment!
Please enter your name here