Determining Your Merchant Risk Level for PCI Compliance
Both VISA and Mastercard have created a structure for determining the risk level of a merchant. The more transactions you process, the more risk you pose to the two credit card organizations. In order to maintain some sort of order within PCI compliance, VISA and Mastercard have created 4 risk levels that will apply to any particular business.
Knowing which risk level you fall under is important mainly because your merchant account provider will require different documents/procedures for each level. Most merchants don’t even understand what each of these levels are, so before you can send in the right documentation, you have to understand what each level means, and which one applies to you.
Here are the 4 PCI merchant levels and requirements from VISA’s site. Mastercard’s levels/requirements are nearly identical:
|Level/Tier||Merchant Criteria||Validation Requirements|
|Level 1||Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region.|
|Level 2||Merchants processing 1 million to 6 million Visa transactions annually (all channels).|
|Level 3||Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.|
|Level 4||Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.|
As you can see, the PCI compliance levels are pretty self-explanatory. I’ve highlighted Level 4 because a large majority of you will fall under this risk level. So, the next time your provider or processor tells you that you are a Level 4 merchant, you’ll know exactly what they’re talking about.