When it comes to PCI compliance levels, Level 1 merchants are the most highly regulated. They must undergo an on-site assessment from a Qualified Security Assessor (QSA) and complete the Attestation of Compliance form. In addition, they must file an Annual Report of Compliance (ROC) with the PCI Security Standards Council and conduct quarterly network scans by an Approved Scanning Vendor (ASV).
What Is a Level 4 Merchant?
Payment brands like Visa, MasterCard, Discover, American Express, and JCB have defined four merchant levels to help decrease credit card merchant services and data loss for their customers. These levels are determined by the number of card transactions a business processes annually.
Most businesses, especially small businesses, will fall into the Level 4 merchant category. The requirements for Level 4 merchants are the lightest of all four levels. However, it is still a critical component of a comprehensive cybersecurity program and should be taken seriously.
The most common merchants will find the Level 2 requirement more applicable to them than the Level 3 requirement. They will also have to complete and submit an annual Self-Assessment Questionnaire (SAQ) and pass a quarterly ASV network scan and ROC.