WithPCI Logo
WithPCI.com

Compliance for Level 2 Merchants: Requirements and Attestation

Introduction

Level 2 merchants represent a significant tier in the PCI DSS compliance hierarchy. These organizations process between 1 million and 6 million card transactions annually and are subject to important security and validation requirements, though less stringent than Level 1 merchants. This document provides a comprehensive overview of the PCI DSS obligations for Level 2 merchants, including validation methods, Self-Assessment Questionnaire (SAQ) types, and compliance requirements that vary based on payment processing environments.

Who Qualifies as a Level 2 Merchant?

A Level 2 merchant is defined as any entity that processes between 1 million and 6 million Visa or MasterCard transactions per year, regardless of sales channel (e-commerce, retail, mail/telephone order, etc.). For American Express, the range is 50,000 to 2 million transactions, and for JCB International, fewer than 1 million transactions.

Eligibility Criteria for Level 2 Merchant Classification

Level 2 Merchant status applies to entities that face moderate to high scrutiny under PCI DSS due to their transaction volume, risk profile, or operational characteristics. The eligibility criteria are structured to identify organizations with significant exposure to payment card fraud and data breaches.

Transaction Volume Threshold

The primary qualification for Level 2 Merchant classification is processing between 1 million and 6 million payment card transactions annually across all acceptance channels, including in-person, e-commerce, and mail/telephone orders. This threshold applies to aggregate transactions processed under a single merchant identification number (MID) or corporate entity.

Examples of qualifying entities:

  • Regional retail chains with multiple brick-and-mortar locations
  • Growing e-commerce platforms handling substantial transaction volumes
  • Mid-sized service providers processing recurring payments

Card brands monitor transaction volumes through acquiring banks, classifying merchants within this transaction range as Level 2.

Discretionary Classifications

Similar to Level 1 merchants, payment networks may classify certain merchants as Level 2 based on:

  • Moderate-risk business models
  • Geographic operations in regions with elevated fraud rates
  • System complexity or changes increasing attack surface
  • Previous compliance issues at lower merchant levels

Key PCI DSS Compliance Requirements for Level 2 Merchants

1. Annual Self-Assessment Questionnaire (SAQ)

  • Validation Method: Level 2 merchants must complete an annual SAQ.
  • Who Conducts the Assessment: This depends on the SAQ type, as detailed below.
  • Purpose: The SAQ is a self-validation tool to assess security for cardholder data and ensure compliance with PCI DSS requirements.

2. Quarterly Network Scans

  • Requirement: Merchants must have their external networks scanned at least quarterly.
  • Who Performs the Scans: Scans must be conducted by an Approved Scanning Vendor (ASV).
  • Purpose: These scans identify and help remediate vulnerabilities that could be exploited by attackers.

3. Attestation of Compliance (AoC)

  • Requirement: After completing the SAQ, Level 2 merchants must submit an AoC form.
  • Purpose: The AoC is a formal declaration of the merchant's PCI DSS compliance status.

SAQ Types and Their Requirements

As of March 2021, Mastercard revised the compliance requirements for Level 2 merchants based on the type of SAQ they complete, creating a risk-based approach that differentiates between high and low security risk merchants.

High Security Risk Merchants (QSA/ISA Required)

Level 2 merchants completing the following SAQ types must engage a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) for compliance validation:

  • SAQ A: Card-not-present Merchants with All Cardholder Data Functions Fully Outsourced
  • SAQ A-EP: Partially Outsourced E-Commerce Merchants Using a Third-Party Website for Payment Processing
  • SAQ D: All Other SAQ-Eligible Merchants that don't fit into other categories

These SAQ types are considered high security risk due to complex payment acceptance environments and/or e-commerce operations.

Low Security Risk Merchants (Self-Assessment Permitted)

Level 2 merchants completing the following SAQ types may self-assess without the use of a QSA or ISA for compliance validation:

  • SAQ B: Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals
  • SAQ B-IP: Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals
  • SAQ C-VT: Merchants with Web-Based Virtual Terminals
  • SAQ C: Merchants with Payment Application Systems Connected to the Internet
  • SAQ P2PE: Merchants using Only Hardware Payment Terminals in a PCI SSC-listed P2PE Solution

These SAQ types are considered lower security risk due to their more controlled and limited payment acceptance environments.

Attestation of Compliance (AoC) Signature Requirements

For Level 2 merchants, the AoC signature requirements depend on the type of SAQ completed:

  • For SAQ A, A-EP, and D: The AoC must be signed by both the QSA/ISA who conducted the assessment and an executive officer of the company.
  • For SAQ B, B-IP, C-VT, C, and P2PE: The AoC can be signed by an executive officer of the company without requiring a QSA/ISA signature.

This tiered signature process ensures appropriate accountability based on the risk level of the merchant's payment processing environment.

Additional Compliance Considerations

  • Optional ROC: Level 2 merchants may, at their own discretion, choose to engage a QSA or ISA to complete a Report on Compliance (ROC) instead of performing an SAQ.
  • Penetration Testing: Annual penetration testing is required for certain SAQ types.
  • Internal Vulnerability Scans: Regular internal scans are required to detect and remediate vulnerabilities within the organization's environment.
  • Brand-Specific Requirements: Payment brands or acquiring banks may impose additional validation steps or requirements.

Consequences of Non-Compliance

Failure to meet PCI DSS requirements can result in significant repercussions for Level 2 merchants:

  • Monetary Fines: Non-compliance can lead to fines imposed by payment brands through acquiring banks.
  • Increased Exposure to Data Breaches: Non-compliant merchants are more susceptible to cyberattacks, potentially leading to data breaches and associated costs.
  • Credit Card Processing Restrictions: Payment processors may impose restrictions or terminate the ability to process credit card transactions.
  • Legal Implications: Data breaches resulting from non-compliance can lead to legal actions, including lawsuits and penalties.
  • Loss of Revenue and Reputation: Non-compliance can damage a merchant's reputation, leading to loss of customer trust and revenue.

Conclusion

Being a Level 2 merchant under PCI DSS means adhering to important security standards in the payment industry. The annual SAQ, quarterly network scans by an ASV, and a properly signed Attestation of Compliance form are all mandatory, though the specific requirements vary based on the type of SAQ. Mastercard's 2021 revision created a more risk-based approach, differentiating requirements between high and low security risk merchants.

By understanding which SAQ type applies to their payment environment and meeting the corresponding requirements, Level 2 merchants can effectively protect cardholder data while maintaining a compliance program appropriate to their risk level. This balanced approach helps ensure the security of the payment ecosystem while acknowledging the different risk profiles among Level 2 merchants.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy