WithPCI Logo
WithPCI.com

Compliance for Level 1 Merchants: Requirements and Attestation

Introduction

Level 1 merchants represent the highest tier in the PCI DSS compliance hierarchy. These organizations process over 6 million card transactions annually and, as such, are subject to the most stringent security and validation requirements. This document provides a comprehensive overview of the PCI DSS obligations for Level 1 merchants, including validation methods, assessment procedures, and Attestation of Compliance (AoC) signature requirements.

Who Qualifies as a Level 1 Merchant?

A Level 1 merchant is defined as any entity that processes more than 6 million Visa or MasterCard transactions per year, regardless of sales channel (e-commerce, retail, mail/telephone order, etc.). This level also includes merchants that have experienced a data breach or are otherwise designated as Level 1 by a payment brand.

Eligibility Criteria for Level 1 Merchant Classification

Level 1 Merchant status applies to entities that face the highest scrutiny under PCI DSS due to their transaction volume, risk profile, or operational characteristics. The eligibility criteria are structured to identify organizations with the greatest exposure to payment card fraud and data breaches.

Transaction Volume Threshold

The primary qualification for Level 1 Merchant classification is processing over 6 million payment card transactions annually across all acceptance channels, including in-person, e-commerce, and mail/telephone orders. This threshold applies to aggregate transactions processed under a single merchant identification number (MID) or corporate entity.

Examples of qualifying entities:

  • National retail chains with widespread brick-and-mortar locations
  • Major e-commerce platforms handling global transactions
  • Payment processors aggregating transactions for multiple sub-merchants

Card brands monitor transaction volumes through acquiring banks, automatically upgrading merchants exceeding this threshold to Level 1 status.

Breach History Designation

Merchants experiencing confirmed cardholder data compromises are immediately elevated to Level 1 status regardless of transaction volume. This includes:

  • Unauthorized access to payment systems storing cardholder data
  • Exposure of authentication credentials or sensitive authentication data (SAD)
  • Forensic investigations identifying PCI DSS control failures

The elevated status remains for 24 months post-remediation, requiring enhanced oversight even if transaction volumes fall below 6 million.

Discretionary Upgrades by Card Brands

Payment networks reserve the right to classify merchants as Level 1 based on:

  • High-risk business models (e.g., digital goods, travel services)
  • Geographic operations in regions with elevated fraud rates
  • System changes increasing attack surface (e.g., cloud migrations)
  • Recurring compliance failures at lower merchant levels

Visa's Account Data Compromise Program and Mastercard's Risk Reconnaissance System use machine learning to identify high-risk merchants for potential classification upgrades.

Key PCI DSS Compliance Requirements for Level 1 Merchants

1. Annual Report on Compliance (ROC)

  • Validation Method: Level 1 merchants must undergo a full onsite PCI DSS assessment each year.
  • Who Conducts the Assessment: This assessment must be performed by a Qualified Security Assessor (QSA) approved by the PCI Security Standards Council.
  • Purpose: The ROC is a comprehensive review of the merchant's security controls, policies, and technical environment to ensure full compliance with all PCI DSS requirements.

2. Quarterly Network Scans

  • Requirement: Merchants must have their external networks scanned at least quarterly.
  • Who Performs the Scans: Scans must be conducted by an Approved Scanning Vendor (ASV).
  • Purpose: These scans identify and help remediate vulnerabilities that could be exploited by attackers.

3. Attestation of Compliance (AoC)

  • Requirement: After completing the ROC, Level 1 merchants must submit an AoC form.
  • Purpose: The AoC is a formal declaration of the merchant's PCI DSS compliance status.

Attestation of Compliance (AoC) Signature Requirements

For Level 1 merchants, the AoC carries significant weight and must be signed by multiple parties:

  • QSA Signature: The QSA who conducted the onsite assessment must sign the AoC, verifying that the assessment was thorough and accurate.
  • Executive Signature: A senior executive (such as a C-level officer or authorized company representative) must also sign, affirming the organization's commitment to PCI DSS compliance and accepting responsibility for ongoing adherence.

This dual-signature process ensures both technical and organizational accountability for protecting cardholder data.

Additional Compliance Considerations

  • Penetration Testing: While not unique to Level 1, annual penetration testing is a critical part of the compliance process and is reviewed during the ROC.
  • Internal Vulnerability Scans: Regular internal scans are required to detect and remediate vulnerabilities within the organization's environment.
  • Brand-Specific Requirements: Payment brands or acquiring banks may impose additional validation steps or require more frequent assessments, especially if the merchant has a history of security incidents.

Consequences of Non-Compliance

Failure to meet PCI DSS requirements can result in significant repercussions for Level 1 merchants:

  • Monetary Fines: Non-compliance can lead to fines ranging from $5,000 to $100,000 per month, depending on the duration and severity of the non-compliance.
  • Increased Exposure to Data Breaches: Non-compliant merchants are more susceptible to cyberattacks, potentially leading to data breaches and associated costs.
  • Credit Card Processing Restrictions: Payment processors may impose restrictions or terminate the ability to process credit card transactions.
  • Legal Implications: Data breaches resulting from non-compliance can lead to legal actions, including lawsuits and penalties.
  • Loss of Revenue and Reputation: Non-compliance can damage a merchant's reputation, leading to loss of customer trust and revenue.

Conclusion

Being a Level 1 merchant under PCI DSS means adhering to the strictest security standards in the payment industry. Annual onsite assessments by a QSA, quarterly network scans by an ASV, and a rigorously signed Attestation of Compliance form are all mandatory. By meeting these requirements, Level 1 merchants not only protect themselves and their customers but also contribute to the overall security and trustworthiness of the global payment ecosystem.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy