PCID-08

Are you classified as a merchant? If so, what level (1, 2, 3, 4)?

Explanation

This question is asking whether your organization is classified as a 'merchant' under the Payment Card Industry Data Security Standard (PCI DSS), and if so, what merchant level you fall under. A 'merchant' in PCI DSS terms is any entity that accepts payment cards (credit/debit cards) as payment for goods or services. The merchant levels (1-4) are determined primarily by the volume of card transactions processed annually: - Level 1: Merchants processing over 6 million card transactions annually - Level 2: Merchants processing 1-6 million card transactions annually - Level 3: Merchants processing 20,000-1 million e-commerce transactions annually - Level 4: Merchants processing fewer than 20,000 e-commerce transactions or up to 1 million regular transactions annually This question is being asked in a security assessment because different merchant levels have different PCI DSS compliance requirements. Higher transaction volumes (Level 1) require more rigorous security controls and validation procedures, including mandatory annual on-site assessments by a Qualified Security Assessor (QSA). Lower levels may self-assess using the Self-Assessment Questionnaire (SAQ). When answering this question, you should: 1. Clearly state whether your organization accepts payment cards 2. If yes, specify your merchant level based on transaction volume 3. Mention any relevant compliance validations you maintain (e.g., ROC, SAQ) 4. If you're not a merchant but still handle card data (e.g., as a service provider), clarify that distinction

Guidance

Refer to PCI DSS Security Standards for supplemental guidance in this section

Example Responses

Example Response 1

Yes, we are classified as a Level 1 Merchant under PCI DSS We process approximately 8.5 million credit card transactions annually through our retail and online channels As a Level 1 Merchant, we undergo an annual on-site assessment by a Qualified Security Assessor (QSA) and maintain a Report on Compliance (ROC) Our most recent PCI DSS v4.0 assessment was completed in March 2023, and we maintain continuous compliance monitoring throughout the year.

Example Response 2

Yes, we are classified as a Level 4 Merchant under PCI DSS We process approximately 15,000 e-commerce transactions annually through our online store As a Level 4 Merchant, we complete an annual Self-Assessment Questionnaire (SAQ A-EP) and Attestation of Compliance (AOC) We use a PCI DSS compliant payment gateway that handles the actual card processing, but since we control the checkout experience on our website, we maintain our merchant compliance obligations.

Example Response 3

No, we are not classified as a merchant under PCI DSS Our software platform does not directly process, store, or transmit cardholder data Instead, we integrate with third-party payment processors using their secure APIs where the customer is redirected to the processor's environment for payment Our customers (who may be merchants themselves) are responsible for their own PCI DSS compliance We do, however, maintain security controls aligned with industry standards like SOC 2 Type II and ISO 27001 to ensure the overall security of our platform.

Context

Tab
Case-Specific
Category
Payment Card Industry Data Security Standard (PCI DSS)

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron