What is a level?
“Levels” is a classification of organizations accepting and processing credit cards. They are defined and used by the payment brands to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete.
There is no consensus in this area between payment brands (this would be too easyJ). There are as much levels definition than payment brands
They are mainly defined based on the number of transaction processed annually on the payment brand networks.
Who determines the level applicable for a merchant?
Since acquirers are responsible for merchants’ compliance they are the ones who determine the level applicable to a merchant.
So if a merchant accepts multiple brands and those brands utilize different acquirers, the merchant could be subjected to multiple levels according to the acquirers.
How to determine the applicable level?
Acquirers qualifies the applicable level mainly based on the number of transaction processed annually as well as any account compromised experienced by the merchant.
Merchant levels definition per payment brands and transaction volume
· No Level 4 merchant for American Express
· No Level 3 and Level 4 merchants for JCB International
· Payment brands reserve the right to escalate a merchant’s level dependent on risk such as previous compromise where PCI requirements were not in place.
References:
American Express:
Discover:
http://www.discovernetwork.com/fraudsecurity/disc.html
JCB:
http://www.jcb-global.com/english/jdsp/index.html
Mastercard:
http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html
Visa:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html
Find all PCI 30 seconds newsletters on community.rapid7.com section Information security.
