31
Jul
11

Merchant Levels

I get requests all of the time regarding how to determine an organization’s merchant level.  Even though the card brand Web sites have this information posted, the questions still persist.  But even with those tables and references such as this post, it is very important for all merchants to remember that the only entities that can definitively set a merchant’s level are the merchant’s processor(s), acquiring bank(s) or the card brands.

So, while what I am going to discuss in this post should provide the information necessary for most merchants to determine their merchant level, you cannot use this post as the definitive answer on this subject.  This is only my opinion.  Again, if you want a definitive answer, you need to get that from your processor(s), acquiring bank(s) or card brand(s).  Also, before I forget, I have not included a discussion regarding vulnerability scanning, penetration testing and other requirements, so you will need to reference the card brand tables for those other requirements.

One would think that this issue is simple to resolve.  After all, the card brands have this information posted on their Web sites.  So, you just go to their Web sites and figure it out.  Oh, if it were only that simple.

Card Brand Merchant Level Tables

The first problem most merchants run into is that Visa, MasterCard, Discover, American Express and JCB all have tables for merchant levels.  Which leads to the first question merchants typically have; “Whose table should I use?”

The answer is you use the tables for only those card brands for which you have a merchant agreement.  This sounds easy enough, but as we will see later on, might not be as simple as you might think.

Things can get even easier for some merchants.  While Visa, MasterCard and Discover have their own table of merchant levels, if you compare them, you will note that Visa, MasterCard and Discover have gotten together and decided to use the same criteria for determining merchant levels.  So, if the only credit cards you accept as a merchant are Visa, MasterCard and/or Discover, you only need to reference the Visa tables as their merchant level criteria are all the same.  But for those merchants that accept American Express and/or JCB in addition to the other card brands, do not fret.  The card brands have made things easy for you as well.  If you are a given merchant level for any other card brand, you are that merchant level for every card brand.  However, as we discuss the merchant level criteria, for merchants accepting American Express or JCB credit cards, smaller processing volumes of those cards can easily make you a Level 1 or 2 merchant.

With the exception of Merchant Level 3, transaction volumes are the total number of credit card transactions processed, regardless of whether those transactions are card present, card not present, e-Commerce, whatever.  Level 3 merchants introduces the concept of e-commerce only transactions, but we will discuss this a bit later.

The Big, Bad, Ugly Level 1 Merchant

Level 1 merchants are the easiest to define and the ones that must go through the full Security Assessment Procedures and produce a Report On Compliance (ROC).  If you are a merchant that meets any of the following annual transaction processing volumes, you are a Level 1 merchant to all of the card brands:

  • Over six million Visa, MasterCard or Discover transactions
  • Two and a half million or more American Express transactions
  • Over one million JCB transactions

The first thing merchants that have big transaction volumes with American Express or JCB is that they can easily end up a Level 1 merchant with very few Visa, MasterCard or Discover transactions.

I Am A Level 2 Merchant, I Can Do A Self-Assessment Questionnaire

On the face of things, Level 2 merchants are also easy to define.  If your organization meets any of the following annual transaction processing volumes, you are a Level 2 merchant to all of the card brands.

  • One to six million Visa, MasterCard or Discover transactions
  • 50,000 to two and a half million American Express transactions
  • Less than one million JCB transactions

Where things get complicated for merchants is in regards to the credit cards they have agreed to accept, particularly JCB cards.  It turns out that if you have agreed to accept Discover or Diners Club cards, you may also have inadvertently agreed to accept JCB cards.  In the United States and some of Europe, Discover processes Diners Club and JCB transactions and your merchant agreement with Discover may have included JCB.  Overseas, JCB processes for Discover and Diners Club in some countries.  As a result, you will need to review your merchant agreement with your processor to make sure that JCB cards are not included in your agreement.  If your merchant agreement does cover JCB cards, even if you have never processed a JCB transaction (mathematically zero is less than one million), technically you could be classified as a Level 2 merchant by your processor or acquiring bank.

For merchants that accept MasterCard, and that would be most merchants, things get further complicated regarding what you need to do for reporting.  A few years ago, MasterCard tried to get Level 2 merchants to do a ROC for compliance instead of an SAQ.  Thankfully after a lot of complaints, that requirement died a quick death.  However, as of June 30, 2012, MasterCard is requiring their Level 2 merchants to:

  • Use an internal person certified as an Internal Security Assessor (ISA) by the PCI SSC to create their Self Assessment Questionnaire (SAQ); or
  • Use a Qualified Security Assessor (QSA) conduct the PCI Security Assessment Procedures (SAP) and file a ROC.

So those of you Level 2 merchants that were looking forward to only doing an SAQ, you might want to clear that with your processor first.

And remember, if you are classified as a Level 2 merchant by one card brand, you are that level for all other card brands.  So, if you get caught in the JCB conundrum I described above, you will be a Level 2 merchant to MasterCard and you may have to do a ROC.

What Is A Level 3 Merchant Exactly?

At Level 3, things get a bit more complicated, mostly because at this point some of the card brands do not even have a Level 3 classification.  However, as I stated with Level 2, if you have JCB cards being processed, you will end up as a Level 2 merchant regardless,

Where Level 3 really confuses people seems to be the fact that the criteria now focuses on one particular type of sales delivery method, e-commerce.  If your organization meets any of the following criteria, you are a Level 3 merchant.

  • 20,000 to one million Visa e-commerce transactions annually
  • 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually
  • 20,000 to one million Discover card-not-present only transactions annually
  • Less than 50,000 American Express transactions

An additional trick with the Level 3 merchant classification is related to the e-commerce sales channel.  According to Visa, MasterCard and Discover, if your organization has 20,000 to one million e-commerce transactions, you can also have less than one million transactions through other sales channels such as physical stores, mail orders and telephone orders and still be a Level 3 merchant even though your total number of transactions technically exceeds one million transactions and is less than two million in total.

As with Level 2, if you are a Level 3 merchant for one card brand, you are a Level 3 merchant for all card brands.

Level 4, I Can Do Nothing

Level 4 merchants process less than 20,000 Visa e-commerce transactions annually and/or process up to 1 million transactions annually.  As with the other merchant levels, if you are classified as a Level 4 merchant, you are a level 4 merchant for all card brands.

As a Level 4 merchant, you are only recommended to attest to your organization’s PCI compliance.  This means that filing an SAQ with your processor or acquiring bank is not required by the card brands.  However, as I posted earlier, some processors are not only requiring that Level 4 merchants file an SAQ, they also require that a QSA sign off on your SAQ.  If you are a Level 4 merchant in Canada, Visa Canada is also requiring that a Level 4 merchant’s SAQ is signed off by a QSA. (As of October 2010, a QSA does not need to sign off on a Level 4 merchant’s SAQ.)

Clear as mud, right?  Well, there are some other issues that need to be considered before you can claim you are a particular merchant level.

Holding Companies And Legal Entities

What can bring the first twist into the merchant level setting process is how your organization is legally incorporated or structured.  If your organization is a holding company with multiple legal entities underneath it, then your multiple legal entities will have their own individual merchant level and require an individual PCI compliance report filing.  A good example of this is Yum! Brands and their A&W, Long John Silver’s, Pizza Hut, KFC and Taco Bell restaurants.  The restaurants are separate legal entities and therefore have their own merchant level and their own PCI ROC.

Sometimes you can negotiate with your processor or acquiring bank to get your multiple legal entities treated as a single entity and do one compliance filing, but they are not obligated to go along with this request.  The key is that you need to negotiate this change before you start your PCI compliance efforts, not after the fact.

Another fact that can complicate this holding company relationship is how the organization processes their transactions.  In some organizations, the individual entities all process their transactions separately under their own merchant numbers and even possibly with their own processor(s) and/or acquiring bank(s).  In other instances, the holding company aggregates transactions from all of the entities, but the transactions are still processed under individual merchant numbers and my be processed through different processors.  And in a third variation, the holding company aggregates the transactions and processes everything under one merchant number.  In the first two instances, typically each entity is going to be responsible for their individual PCI compliance and will report separately.  In the last instance, the holding company is usually held responsible for each entity’s PCI compliance.  However, any determination of what is correct is going to be up to the acquiring bank(s).

And one other thing that comes up regarding holding companies.  There are organizations that attempt to use their legal incorporation as a way to manipulate the level setting process.  They also have each legal entity process transactions through different processors so that their transactions volumes are not known between the processors.  While in the past this was a good strategy to keep your organization creating SAQs, processors have gotten wise to this game and are talking to one another as well as documenting the processors used in the reports.  So for those of you playing this game, it is only a matter of time before you will be found out and possibly have your merchant level changed.

Been Breached?

Take a close look at your merchant agreement regarding PCI compliance.  There should be a statement that says if you suffer a breach, your organization will automatically be classified as a Level 1 merchant for PCI compliance purposes, regardless of transaction volume.  All of the card brands added this to their merchant agreements a number of years ago.

Unless you are already a level 1 merchant, just the thought of not being able to file a SAQ should put the fear of God in you.  Conducting a full ROC, even for a small organization, will likely be extremely daunting and expensive.  So there is added incentive for you level 2 through 4 merchants to make sure that they truly are PCI compliant.

So that is merchant levels.  I hope this gives you the guidance you seek.  It definitely should give you the background you need to discuss the topic intelligently with your processors and acquiring banks.

UPDATE: I ran into a person from Yum! Brands at the 2011 PCI Community Meeting and they informed me that they file one ROC for all of their restaurant brands, however, technically they could file separately for each, but they do not.  I was only using them as an example and apologize for misrepresenting their filing status.

Advertisements

19 Responses to “Merchant Levels”


  1. 1 Tom 101
    November 24, 2016 at 11:26 PM

    When we consider the merchant level, if a merchant has 5 million VISA, 2 million MC and 1 million Amex, would the total number of transactions looked at (which is 8 million) and consider them to be Merchant level 1 or is it because individually each of them is below 6 million transactions, the merchant is considered to be level 2.

    • November 25, 2016 at 8:54 AM

      You would be a Level 2 merchant for all of these card brands. However, as a Level 2 for MasterCard, you must conduct a Report On Compliance (ROC) performed either by an ISA or a QSA.

      For clarification, all of the card brands recognize the following rule which has been in place since the start of the PCI DSS. A merchant or service provider is always judged to be at the highest level for ALL brands. So if your example would have been 4 million Visa transactions, 3 million MasterCard transactions and 3 million American Express transactions, then your organization would be a Level 1 merchant because you had exceeded American Express’ 2.5 million transactions for Level 1.

      That said, it is always at the discretion of the brands and acquiring banks to determine a merchant’s or service provider’s level. So it behooves all merchants and service providers to confirm their level every year before they conduct their assessment.

  2. July 18, 2016 at 2:26 PM

    Thanks for the breakdown of this.

    Can you confirm with an appropriate source (e.g. PCI Council, TrustWave, AMEX, VISA etc.) that the merchant level of 1 card type can affect another?
    More specifically, if I am a merchant level 4 with VISA/MC and a merchant level 2 with AMEX …are you saying that I am actually a level 2 with VISA/MC as well?

    • July 18, 2016 at 3:03 PM

      That has always been the rule from day one of the PCI DSS. However, it is enforced by the card brands, not the PCI SSC. So you would have to contact them to get their official statement on this topic.

      So in your example, if you are designated as a Level 2 merchant with American Express, you would be a Level 2 merchant for all other card brands. That said, given the definition used by American Express for Level 2 of 50K to 2.5M annual transactions and assuming you are well under 1M in American Express transactions, one could make an argument to all the brands that you are a Level 4 merchant (assuming you also do less than 20K in eCommerce transactions). That is not to say they would agree with you, but it would be worth a discussion. The reason is that if you are Level 2 with MasterCard, they require a Report On Compliance (ROC) to be generated which I am sure you are wanting to avoid.

  3. 5 Greg
    April 10, 2013 at 6:58 AM

    What if you do 20,001 to 999,999 visa/MasterCard transactions per year. You do no e-commerce at all, and 50%+ of the transactions are card not present.

    Does that make you a level 3 or are you still a level 4?

    • April 12, 2013 at 5:28 AM

      My understanding is that Level 3 is exclusively for eCommerce only merchants. So, you would be Level 4.

    • 7 Adalberto
      December 22, 2014 at 11:51 AM

      Dear PCI Guru:

      I was doing a Google search regarding “How to determine an organization’s pci merchant level” and this post of yours came across, which it is very interesting and some how detailed in its content but In the “Card Brand Merchant Levels Tables” section of this post you mentioned this:

      “The card brands have made things easy for you as well. If you are a given merchant level for any other card brand, you are that merchant level for every card brand. However, as we discuss the merchant level criteria, for merchants accepting American Express or JCB credit cards, smaller processing volumes of those cards can easily make you a Level 1 or 2 merchant.”

      What called my attention was this statement: “you are that merchant level for every card brand”, after visiting the Card Brand’s websites and reading the Visa AIS program document I did not find any statement that confirm what you are saying.

      I also noticed that the date of your post is July 31, 2011 but you also mentioned this on a more recent post dated December 26, 2012 at 3:05 PM (https://pciguru.wordpress.com/mmiscellaneous-questions-page/), My question to you is this:

      Is this statement still applicable? And if it is, where can I find the official document where the card brands are supporting such statement?

      Please do not miss understood my question, I am not doubting your knowledge and ample experience in this field, but I am just applying the “Trust and verify” statement applied in this field, that is why I would like to know the source of this statement.

      I will really appreciate if you make a little of your time to respond to my question

      Sincerely

      Adalberto

      • December 23, 2014 at 10:00 AM

        Visa being the big dog makes no mention of the merchant level reciprocity situation. However, both MasterCard and Discover do mention that other card brands’ merchant levels are a consideration in their own merchant levels. In the case of MasterCard, they specifically call out that if Visa considers a merchant at a given level, then so does MasterCard.

        If you think about it, this only makes sense. If a merchant is Level 2 for MasterCard and MasterCard requires a Report On Compliance (ROC), why would the other card brands not accept the ROC and MasterCard’s merchant level designation? Otherwise, you would have merchants doing a ROC for some card brands and an SAQ for others. That would drive merchants right over the edge.

  4. August 24, 2011 at 9:46 AM

    Thank you for all the informative posts. As a hypothetical, what would a small e-commerce only merchant who processed less than 5,000 VISA/MC and less than 1,000 AMEX transactions be? I am interpreting Level 4 from your information above, but that doesn’t seem entirely clear because AMEX isn’t referenced in your table for Level 4.

    Also, I am not clear from the above as to what the requirements of a Level 3 merchant would be?

    • August 24, 2011 at 1:30 PM

      Technically, the AmEx transactions make you a level 3 merchant but I would check with your acquiring bank and AmEx and see if you can file as a level 4 merchant.

      • August 24, 2011 at 3:10 PM

        Thanks! As you recommended, I am verifying all this with my merchant payment processor who ultimately makes the final determination. Your reply suggests that there is some opportunity to have your assigned merchant level reevaluated/reassigned, correct?

        I’m currently using an open source software solution (Drupal/Ubercart) and found your PCI/DSS post on that highly informative. If you have new information on that topic, I think it would be a great topic to update.

        Would you reply as to your understanding of the certification requirements for a Level 3 merchant? SAQ? QSAC ROC? Required, recommended? My business doesn’t have the volume to justify it at present, but from the post I don’t see what the requirements would be. Thanks again 🙂

      • August 25, 2011 at 11:07 AM

        If you are a level 3 merchant, you are required to do an SAQ. However, you really need to confirm with your acquiring bank your merchant level as it sounds from your message that you may not be a level 3 merchant. Regardless, if you want the assistance of a QSA in helping you go through your SAQ, that is up to you, but it is not required. Some processors are more flexible on merchant level determination than others, but the levels are the levels and it is difficult to get assigned to a lower level.

        I don’t really have any new information on open source solutions. As I said, it’s not impossible for an open source solution to be PA-DSS certified, it’s just that most will never be able to be certified because of the nature of how they are developed and maintained.

  5. 13 andy
    August 16, 2011 at 10:12 AM

    Do you have a reference for this:

    ” However, as I stated with Level 2, if you have JCB cards being processed, you will end up as a Level 2 merchant regardless,”

    I have looked around and I have only found this:

    http://partner.jcbcard.com/security/jcbprogram/index.html

    I can’t find anything to support the notion that those processing less than 1 million JCB transactions are considered level 2.

    • August 16, 2011 at 9:07 PM

      JCB only has two levels, merchants with one million or more transactions per year (Level 1) and merchants that transaction less than one million transactions (Level 2). They may not label them that way any more, but that is how to interpret the merchant table on their Web page that you referenced.

      • 15 Andy
        August 17, 2011 at 7:44 AM

        I understand what you are saying and I don’t dispute your interpretation. My question is more pointed towards what to do with that info.

        If I can’t find something from JCB or relevant payment processor, then I can’t mention the possibility to an organization. If the payment processor has been ok with an organization at level 3, then that’s probably what they are going to continue doing. I would just like to be able to give some warning that this may come up. If there is no where to reference that, then I guess it just doesn’t exist until the payment processor brings it up.

      • August 17, 2011 at 12:22 PM

        If your processor and/or acquiring bank tell you that your organization is a particular merchant level, then you are that merchant level. The assumption is that your processor/acquiring bank know about your organization and can make that determination in an informed manner. However, whether or not they actually have all of that information to make an informed decision can be an issue.

      • August 17, 2011 at 12:22 PM

        If your processor and/or acquiring bank tell you that your organization is a particular merchant level, then you are that merchant level. The assumption is that your processor/acquiring bank know about your organization and can make that determination in an informed manner. However, whether or not they actually have all of that information to make an informed decision can be an issue.

  6. 18 T.Anne
    August 1, 2011 at 7:37 AM

    FYI MasterCard has changed their deadline for when Level 2 Merchants need to have an ISA if they decide to fill out a SAQ. It’s moved to June 30, 2012 now. It is my understanding that this is a result of ISA training not being available to all level 2s by their original 2011 deadline.

    http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html

    • August 1, 2011 at 4:29 PM

      Thank you for the update. I have not received that updated date, but it make sense.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

July 2011
M T W T F S S
« Jun   Aug »
 123
45678910
11121314151617
18192021222324
25262728293031

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,868 other followers


%d bloggers like this: