WithPCI Logo
WithPCI.com

Compliance for Level 3 Merchants: Requirements and Attestation

Level 3 merchants represent the mid-tier in the PCI DSS compliance hierarchy. These organizations process between 20,000 and 1 million e-commerce transactions annually and are subject to specific security and validation requirements that balance compliance rigor with organizational scale. This document provides a comprehensive overview of the PCI DSS obligations for Level 3 merchants, including validation methods, assessment procedures, and Attestation of Compliance (AoC) requirements.

Who Qualifies as a Level 3 Merchant?

A Level 3 merchant is defined as any entity that processes between 20,000 and 1 million e-commerce transactions annually, though specific criteria vary by payment brand. This level typically includes mid-sized online retailers, regional e-commerce businesses, and organizations with moderate transaction volumes through digital channels.

Eligibility Criteria for Level 3 Merchant Classification

Level 3 Merchant status applies to entities with moderate transaction volumes, primarily through e-commerce channels. The eligibility criteria identify organizations with significant but not massive exposure to payment card data risks.

Transaction Volume Threshold

The primary qualification for Level 3 Merchant classification varies by card brand:

  • Visa: 20,000 to 1 million e-commerce transactions annually
  • Mastercard: 20,000 e-commerce transactions annually but less than or equal to 1 million total annual transactions
  • Discover: 20,000 to 1 million "card-not-present" (e-commerce) transactions annually
  • American Express: Less than 50,000 transactions annually
  • JCB: No Level 3 classification - merchants processing fewer than 1 million JCB transactions yearly qualify as Level 2 merchants

Examples of qualifying entities:

  • Medium-sized online retailers
  • Regional e-commerce businesses
  • Educational institutions with online payment portals
  • Healthcare providers with online payment systems

Card brands monitor transaction volumes through acquiring banks, classifying merchants according to their specific criteria.

Breach History Considerations

While not as explicitly stated as for Level 1 merchants, organizations with security incidents may face enhanced scrutiny and potentially more rigorous validation requirements, even if their transaction volumes would otherwise qualify them as Level 3 merchants.

Discretionary Classifications

Payment networks may reclassify merchants based on risk factors such as:

  • Business model or industry sector risks
  • Geographic operation considerations
  • Previous compliance history
  • Data handling practices

Key PCI DSS Compliance Requirements for Level 3 Merchants

1. Annual Self-Assessment Questionnaire (SAQ)

  • Validation Method: Level 3 merchants must complete an annual Self-Assessment Questionnaire (SAQ) appropriate to their business environment.
  • Who Conducts the Assessment: The merchant completes the SAQ internally, though they may choose to engage a Qualified Security Assessor (QSA) for assistance.
  • Purpose: The SAQ is a self-validation tool to verify compliance with PCI DSS requirements based on how the merchant processes card data.

2. Quarterly Network Scans

  • Requirement: Merchants must have their networks scanned quarterly by an Approved Scanning Vendor (ASV).
  • Who Performs the Scans: Scans must be conducted by an Approved Scanning Vendor (ASV).
  • Purpose: These scans identify and help remediate vulnerabilities that could be exploited by attackers.

3. Attestation of Compliance (AoC)

  • Requirement: After completing the SAQ, Level 3 merchants must submit an Attestation of Compliance form.
  • Purpose: The AoC is a formal declaration of the merchant's PCI DSS compliance status.

Attestation of Compliance (AoC) Signature Requirements

For Level 3 merchants, the AoC must be signed by:

  • Merchant Representative: An authorized officer of the merchant must sign the AoC, affirming the organization's commitment to PCI DSS compliance and accepting responsibility for ongoing adherence.
  • QSA Signature (if applicable): If the merchant chose to engage a QSA to assist with the assessment, the QSA may also sign the AoC, providing additional verification.

This signature process ensures organizational accountability for protecting cardholder data.

Additional Compliance Considerations

SAQ Type Impact on Requirements

The specific SAQ type required depends on how the merchant processes payments, which significantly affects compliance requirements:

  • SAQ A: For merchants who have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers - minimal requirements
  • SAQ A-EP: For e-commerce merchants who outsource payment processing but whose websites affect security - more extensive requirements
  • SAQ B: For merchants using imprint machines or standalone dial-out terminals - limited requirements
  • SAQ C: For merchants with payment application systems connected to the internet - moderate requirements
  • SAQ D: For all other merchants and service providers - most comprehensive requirements

Additional Security Measures Based on SAQ Type

Depending on the SAQ type, Level 3 merchants may need to implement:

  • Penetration Testing: Required for certain SAQ types to identify security vulnerabilities
  • Internal Vulnerability Scans: Regular scans to detect internal network vulnerabilities
  • Firewall Management: Maintaining firewalls to protect the cardholder data environment
  • Data Storage Restrictions: Preventing storage of sensitive authentication data

Optional Enhanced Validation

While not required, Level 3 merchants may opt for more rigorous validation:

  • Voluntary QSA Assessment: Some merchants engage QSAs for guidance or third-party validation
  • Optional ROC: Though not required, some Level 3 merchants may choose to obtain a Report on Compliance to strengthen their security posture

Consequences of Non-Compliance

Failure to meet PCI DSS requirements can result in significant repercussions for Level 3 merchants:

  • Monetary Fines: Non-compliance can lead to fines imposed by acquiring banks or payment brands
  • Increased Data Breach Risk: Non-compliant merchants face greater vulnerability to cyberattacks
  • Processing Restrictions: Payment processors may impose restrictions or terminate payment processing capabilities
  • Legal Implications: Data breaches resulting from non-compliance can lead to lawsuits and regulatory penalties
  • Reputation Damage: Non-compliance can erode customer trust and damage business reputation

Conclusion

Being a Level 3 merchant under PCI DSS requires adherence to important security standards tailored to mid-sized e-commerce businesses. The annual Self-Assessment Questionnaire, quarterly network scans, and Attestation of Compliance form create a framework that balances security requirements with organizational scale. The specific SAQ type significantly impacts the exact compliance requirements, with some merchants facing more extensive validation than others.

By meeting these requirements, Level 3 merchants protect cardholder data, maintain customer trust, and contribute to the overall security of the payment ecosystem while avoiding potential penalties and business disruptions. While less stringent than Level 1 requirements, Level 3 compliance still demands significant attention to security protocols and ongoing vigilance against evolving threats.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy