PCI DSS Compliance Levels and Validation


Levels of PCI-DSS Requirements

Under PCI DSS (Payment Card Industry Data Security Standards), a merchant’s compliance reporting requirements differ based on their Merchant Level. Your Merchant Level is determined by the number of payments specific to each card brand you process in a 12-month reporting period. Depending on your level, you may be required to validate and report your PCI DSS compliance to your acquirer. The chart below provides an overview of each reporting level.




1 Over 6 million Visa or MasterCard transactions in a 12 month period
  • Onsite Assessment and Report on Compliance (ROC) performed by QSA or ISA
  • Quarterly network scans by ASV
2 Between 1 and 6 million Visa or MasterCard transactions in a 12 month period
3 Between 20,000 and 1 million Visa or MasterCard e-commerce transactions in a 12 month period
4 Less than 20,000 ecommerce or less than 1 million transactions with one card brand in a 12 month period

PCI DSS Compliance Validation

As your acquirer, Premium Card Solutions may ask you to submit documentation (depending on your Merchant Level) to validate and report your PCI DSS compliance.

It’s important to keep these points in mind:

  • Premium Card Solutions annually assigns merchant levels 1-4, as is required by the payment brands. These levels are based on the number of transactions a merchant processes in a one-year period within a single payment brand.
  • The payment brands set their own levels. For example, while Visa and MasterCard levels are generally the same, American Express uses a separate set of criteria for establishing merchant levels and has different reporting requirements.

Each payment brand establishes their own criteria to determine merchant validation deadlines.