This consistently keeps coming up as an issue because of the confusing definitions on the Visa, MasterCard and Discover Web sites.
“Merchants processing 20,000 to 1 million Visa e-commerce transactions annually”
“Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually”
“All merchants processing between 20,000 and 1 million card-not-present only transactions annually on the Discover network”
In my opinion, the reason for the confusion is that definitions only mention eCommerce or card-not-present (CNP) payment transactions and no other payment channels. As a result, people think that other payment channels do not count for Level 3 merchants or that Level 3 merchants only do business through eCommerce or CNP payment transactions.
I have even encountered merchants that argue that they are exempt from PCI compliance because their organization does more than 20,000 eCommerce or CNP payment transactions but they also process payment transactions through other payment channels but, in total, have less than 1 million payment transactions. Some people will argue any point to avoid PCI compliance.
So if this is not true, exactly what is a Level 3 merchant?
Based on training and from discussions with the card brands over the years, Level 3 merchants have 20,000 or more eCommerce or CNP payment transactions, but cannot exceed 999,999 payment transactions from all payment channels combined.
As examples:
- A pure eCommerce merchant with no other payment channels can conduct up to 999,999 payment transactions through their Web site and be considered a Level 3 merchant.
- A merchant with 20,000 or more eCommerce or CNP payment transactions that also has one or more of the following; brick and mortar, mail order, telephone order or other payment channels, cannot exceed 999,999 payment transactions from all of their payment channels to be considered a Level 3 merchant.
If an organization exceeds a total of 999,999 payment transactions from all their payment channels they are, by definition, classified as a Level 2 merchant. If the merchant has fewer than 20,000 eCommerce or CNP payment transactions, then they would be classified as a Level 4 merchant.
Hopefully we all now understand the definition of a Level 3 merchant.
PCI Guru 
If I have 800,000/year card-present transactions through a dial-up terminal (no other sales channels), am I a level 3 or level 4 merchant based on your interpretation? (I understand the final word is the acquirer.)
800K in card present transactions with no eComemrce transactions makes you a Level 4 merchant. Level 4 is merchants that have less than 20K in eCommerce transactions and less than 1M in total transactions.
Visa Europe’s website is explicit that level 4 only applies to ‘e-commerce merchants only’ processing fewer than 20,000 VISA transactions. However, the validation requirements are exactly the same as for a level 3 merchant. Level 3 is merchants processing 20,000 to one million Visa e-commerce transactions annually but the crucial words ‘e-commerce merchants only’ are omitted. Just to help, they add another category not given a merchant level and described as ‘non e-commerce merchants – processing up to one million Visa transactions annually. Interestingly, Visa asks for an ASV scan for the ‘non e-commerce merchant’ but not for the level 3 or 4, even though these could be using SAQ A (EP) and this SAQ does require an ASV scan.
(Just to add to the ambiguity, I noticed recently that although SAQ A does not include the requirement for an ASV scan, the form still asks the merchant to supply one – though I suspect this is just an error by the PCI SSC in the form design.)
In my experience, when acquirers set the merchnats level they are more interested in the total number of transactions than which card brand they are.
I think you need to re-read their table. They have an eCommerce and a non-eCommerce category under Level 4.
Even so, what the Visa Europe Web site states is no different than what the Visa USA site states and all other Visa sites for merchant levels.
Lord knows why they wrote the criteria the way they did, but the way I’ve always read it is that if you are processing less than 1 million transactions a year then you are a level 4 merchant – unless you happen to process 20,000 e-commerce transactions in which case you’re slightly more interesting and won’t be totally ignored like all the other level 4 merchants.
A friend emailed me and reminded me that way back in the day, Visa and MasterCard were more concerned about eCommerce and that Level 3 merchants were exclusively eCommerce only. However, over time, Level 3 morphed to also include merchants that do more than 20K transactions in eCommerce or card-not-present (CNP) in addition to other payment channels.
Ok, that’s not how I had interpreted it, not at all…
I figured, since compliance is based on risk, levels represented risk level.
Levels 1 and 2 are clear.
At the oppposite scale, Level 4 is also clear: you are not doing much eCommerce (Not Level 3) or less than 1M terminal-based transactions (not Level 2)
And level 3 is there to identify eCommerce specifically, as it is generally riskier; the floor limit is 20k trx per year, until you reach 1M, meeting Level 2 criteriae.
To me, a convenience store is level 4, unless they start taking online orders and end up doing more than 55 CNP per day, on average, on their website. (20k / 365)
Same for a leather clothing store, even though the terminal based trx may rise to 500,000 / yr, as long as e-Commerce is below 20k. Say they do not sell coats, because of fraud risk, only belts and small stuff.
Terminal based trx are less risky, unless you reach the 1M per year, because Level 2 is both CNP and CP trx.
Thanks for the info…!
PS. Maybe a way to figure it would be to make growth scenarios, like mine above, stating how the business starts and what level it reaches when sales go above certain criteriae. In my view, it would be possible to go Level 4 to Level 2 directly…
We have actually debated this within our company to some extent if we are a Level 2 or a Level 3 merchant. The guidelines from the payment processors actually state things like “Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.” The keyword that makes this debatable within our company is the word Visa. Our understanding via reading multiple sources is that the 1M number must be with a single payment card brand. So even though we have combined 1M+ CC transactions per year, we do not have more than 1M with Visa, MasterCard, or Amex individually. Do you have any documentation which disputes this interpretation which is what your post seems to suggest is the case?
If you are really concerned, you are more than welcome to email the individual card brands and get their take on the topic. Their compliance email addresses are on their Web sites.
While you may be debating Visa, versus MasterCard, versus Discover, it is your acquiring bank that determines your merchant level. No one else. So while you can have an opinion and I can have an opinion, it is your acquiring bank that will define your merchant level.
PCIGuru-
Thanks for the advice – I went ahead and contacted our acquiring bank and they confirmed that we are Level 3 and that my understanding of the levels is correct.
They actually provided the following wording:
Level 1: 6+mm transactions annually with one card brand
Level 2: 1mm to 6mm transactions annually from any acceptance channel with one card brand.
Level 3: 20,000 to 1mm e-commerce transactions annually with one card brand.
Level 4: Less than 20,000 e-commerce or less than 1mm transactions from any acceptance channel with one card brand
The only problem with the interpretation you got is that it plays into the hands of the PCI compliance deniers. Where do the merchants that do 20K+ of eCommerce transactions, but also have other payment channels and are below the 1M mark for Level 2 end up? They do not meet the criteria for Level 4 because they have too many eCommerce transactions and, under your definition, they also do not meet Level 3 and they are not Level 2. The only logical place for such merchants is Level 3.
I don’t think it is unclear. The only difference in the wording is the one card brand aspect, which has always been there in the descriptions from the individual payment card brands – they just refer to themselves in the statement as Visa or Mastercard – instead of the generic “one card brand” definition.
If you are a merchant that does 20+k e-commerce transactions with a single card brand, then you are Level 3 period.
However, if you are a merchant that does, for example, 60k e-commerce transactions, but those transactions are distributed between the payment card brands in a way such that you are doing less than 20k e-commerce transactions with any single brand, you are Level 4.
This is the same policy that applies to our company and makes us Level 3, even though we do more than 1Mil CC+ e-commerce transactions in aggregate. Because we do not exceed 1Mil with any individual brand, we are Level 3.
Other payment channels have the same criteria but they never impact Level 3 status. Level 3 ONLY applies to e-commerce merchants. if you do not do e-commerce and are under 1Mil with any one payment card brand you are Level 4. Otherwise you are Level 2.
Maybe I am missing something. If this still isn’t clear, can you give an example company’s transaction amounts that you believe don’t fit into these categories?
I wouldn’t be too smug about your situation. I am hearing more and more that acquiring banks and processors are taking aggregate transaction accounts into consideration and pushing merchants into the higher merchant levels regardless of the card brand breakdowns.
This isn’t the first time I am told that “training and discussions with the card brands” override clear unambiguous wording in the defining documents. This is unacceptable. If the PCI council or the brands think they have mistakes in their documents they are free to amend them, but until they do the documents stand.
In discussions with the card brands, they argued that the wording was clear even though I pointed out there is no reference to other payment acceptance methods.
Yes it is clear and no there is no reference to other payment acceptance methods. They are free to amend the text if they consider that it is being wrongly misunderstood.