Are you classified as a merchant? If so, what level (1, 2, 3, 4)?
Explanation
Your standing under PCI DSS is at issue: whether you are classified as a merchant and, if so, which merchant level (1, 2, 3, or 4) applies to you.
A 'merchant' in PCI DSS terms is any entity that accepts payment cards (credit/debit cards) as payment for goods or services. The merchant levels (1-4) are determined primarily by the volume of card transactions processed annually:
- Level 1: Merchants processing over 6 million card transactions annually
- Level 2: Merchants processing 1-6 million card transactions annually
- Level 3: Merchants processing 20,000-1 million e-commerce transactions annually
- Level 4: Merchants processing fewer than 20,000 e-commerce transactions or up to 1 million regular transactions annually
This question is being asked in a security assessment because different merchant levels have different PCI DSS compliance requirements. Higher transaction volumes (Level 1) require more rigorous security controls and validation procedures, including mandatory annual on-site assessments by a Qualified Security Assessor (QSA). Lower levels may self-assess using the Self-Assessment Questionnaire (SAQ).
When answering this question, you should:
- Clearly state whether your organization accepts payment cards
- If yes, specify your merchant level based on transaction volume
- Mention any relevant compliance validations you maintain (e.g., ROC, SAQ)
- If you're not a merchant but still handle card data (e.g., as a service provider), clarify that distinction
Guidance
Refer to PCI DSS Security Standards for supplemental guidance in this section
Example Responses
Example Response 1
Yes, we are classified as a Level 1 Merchant under PCI DSS We process approximately 8.5 million credit card transactions annually through our retail and online channels As a Level 1 Merchant, we undergo an annual on-site assessment by a Qualified Security Assessor (QSA) and maintain a Report on Compliance (ROC) Our most recent PCI DSS v4.0 assessment was completed in March 2023, and we maintain continuous compliance monitoring throughout the year.
Example Response 2
Yes, we are classified as a Level 4 Merchant under PCI DSS We process approximately 15,000 e-commerce transactions annually through our online store As a Level 4 Merchant, we complete an annual Self-Assessment Questionnaire (SAQ A-EP) and Attestation of Compliance (AOC) We use a PCI DSS compliant payment gateway that handles the actual card processing, but since we control the checkout experience on our website, we maintain our merchant compliance obligations.
Example Response 3
No, we are not classified as a merchant under PCI DSS Our software platform does not directly process, store, or transmit cardholder data Instead, we integrate with third-party payment processors using their secure APIs where the customer is redirected to the processor's environment for payment Our customers (who may be merchants themselves) are responsible for their own PCI DSS compliance We do, however, maintain security controls aligned with industry standards like SOC 2 Type II and ISO 27001 to ensure the overall security of our platform.
Context
- Tab
- Case-Specific
- Category
- Payment Card Industry Data Security Standard (PCI DSS)
Related questions
- Do you have a current, executed within the past year, Attestation of Compliance (AoC) or Report on Compliance (RoC)?
- Is the application listed as an approved Payment Application Data Security Standard (PA-DSS) application?
- Does the system or solutions use a third party to collect, store, process, or transmit cardholder (payment/credit/debt card) data?
- Do your systems or solutions store, process, or transmit cardholder (payment/credit/debt card) data?
- Are you compliant with the Payment Card Industry Data Security Standard (PCI DSS)?
- Are you classified as a service provider?

