In order to distinguish the sizes of merchant companies and appropriately determine the level of testing required, the founding credit card companies created four different brackets ranging from Tier 1 to 4.

Each tier is based on the number of transactions processed per year by the merchant and also dictates the testing a merchant must undertake. While transactions are the primary determiner, a merchant can also be made Tier 1 at the major credit card company’s discretion if they have suffered a cyber breach.

PCI DSS Merchant Levels

Level 1 – Any merchant processing 6,000,000+ transactions per year across all channels or any merchant that has had a data breach. Credit card companies can also upgrade any merchant to level 1 at their discretion.

Level 2 – Any merchant processing between 1,000,000 and 6,000,000 transactions per year across all channels.

Level 3 – Any merchant processing between 20,000 and 1,000,000 e-commerce transactions per year.

Level 4 – Any merchant processing less than 20,000 e-commerce transactions per year or any merchant processing up to 1,000,000 regular transactions per year.

The levels are relatively self-explanatory; the more transactions you process, the higher the tier. The only thing to be aware of is levels 3 and 4, which concern e-commerce (online) and mean you could go straight from Level 4 to Level 2, bypassing Level 3, depending on your business and number of transactions.

Do I need penetration testing?

As a penetration tester, I would recommend testing your systems for the sake of security rather than for achieving PCI DSS compliance. (If you secure your systems beyond what is mandated by PCI DSS, you’ll achieve compliance by default anyway and be more secure in the process.)

All tiers apart from Tier 1 will need to complete a self-assessment questionnaire (SAQ). (Read more...)