There seems to be a lot of confusion over these two merchant levels. As such I thought I would take a quick moment to clarify them.
From the respective Web sites, here are the definitions for a Level 3 Merchant.
“20,000 to 1 million ecommerce Visa transactions annually” – Visa USA
“Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually” OR “Any merchant meeting the Level 3 criteria of Visa” – MasterCard
From the respective Web sites, here are the definitions for a Level 4 Merchant.
“Merchants processing less than 20,000 Visa ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually” – Visa USA
“All other merchants” – MasterCard
The operative factor is eCommerce transactions. Level 3 has always been about eCommerce. It was specifically created to identify those small merchants that were predominately eCommerce focused. That delineation is important because of the risk presented by card not present (CNP) payment transactions as well as the potential loss of sensitive authentication data (SAD) or cardholder data (CHD) from Web sites used for eCommerce.
However, where the confusion occurs is that both merchant levels end at 1 million total transactions from all payment sources (i.e., eCommerce, MOTO, card present, etc.).
The bottom line is that if your organization is conducting more than 20,000 payment transactions through your eCommerce payment channel, but your total number of payment transactions is less than 1 million, then you are a Level 3 Merchant. Otherwise, your organization is a Level 4 Merchant.
Now we should all be on the same page.
PCI Guru 
1 Response to “Level 3 Versus Level 4 Merchants”