WithPCI Logo
WithPCI.com

Compliance for Level 4 Merchants: Requirements and Attestation

Level 4 merchants represent the foundational tier in the PCI DSS compliance hierarchy. These organizations process fewer than 20,000 e-commerce transactions or up to 1 million total payment card transactions annually, making them subject to streamlined but critical security validation requirements. This document provides a comprehensive overview of PCI DSS obligations for Level 4 merchants, emphasizing the impact of Self-Assessment Questionnaire (SAQ) types on compliance processes and attestation procedures.

Who Qualifies as a Level 4 Merchant?

A Level 4 merchant is defined by payment brands as follows:

  • Visa/Mastercard: Fewer than 20,000 e-commerce transactions annually or up to 1 million total transactions across all channels.
  • Discover/American Express: No explicit Level 4 designation; merchants processing fewer than 20,000 Discover or Amex transactions fall under lower-tier requirements.
  • JCB: Merchants processing fewer than 1 million transactions annually qualify as Level 2, as JCB does not recognize Level 4.

Examples of qualifying entities:

  • Small online retailers
  • Local service providers with in-person payment systems
  • Startups with emerging e-commerce platforms
  • Nonprofit organizations accepting donations via card

Eligibility Criteria for Level 4 Merchant Classification

Transaction Volume Thresholds

The primary qualification for Level 4 status depends on transaction channels:

  • E-commerce: <20,000 annual transactions via digital platforms
  • All channels: ≤1 million total transactions when combining in-person, mail/telephone, and e-commerce

Card brands monitor transaction volumes through acquiring banks, automatically classifying merchants based on annual processing activity. Retailers exceeding these thresholds for three consecutive months may face reclassification.

Breach History Implications

While Level 4 merchants are not automatically upgraded to higher compliance tiers after breaches, payment brands may impose additional requirements such as:

  • Mandatory forensic audits
  • Enhanced vulnerability scanning frequency
  • Temporary restrictions on transaction processing

Discretionary Classifications by Acquirers

Acquiring banks retain authority to:

  • Elevate merchants to higher levels based on risk profiles
  • Require more stringent validation for businesses in high-risk industries (e.g., digital downloads, travel services)
  • Mandate quarterly attestations for merchants with inconsistent security practices

Key PCI DSS Compliance Requirements for Level 4 Merchants

1. Annual Self-Assessment Questionnaire (SAQ)

  • Validation Method: Completion of SAQ appropriate to payment architecture
  • Assessment Scope: Covers 12 PCI DSS requirements tailored to business operations
  • Submission: SAQ and Attestation of Compliance (AoC) must be filed with acquiring bank

2. Quarterly Network Scans

  • Requirement: External vulnerability scans by Approved Scanning Vendor (ASV)
  • Frequency: Quarterly, with remediation of critical vulnerabilities within 30 days
  • Documentation: Scan reports must accompany SAQ submission

3. Attestation of Compliance (AoC)

  • Requirement: Signed declaration of PCI DSS adherence
  • Signatories: Merchant executive or authorized representative
  • Retention: Maintain records for three years minimum

SAQ Type Impact on Compliance Obligations

The SAQ type determines the depth of security controls required:

SAQ A

Applies to: Merchants using fully outsourced payment processing with no card data handling Key Requirements:

  • Validate third-party service provider compliance
  • Maintain documentation of service provider agreements
  • Ensure payment pages meet PCI DSS redirect standards

SAQ B

Applies to: Merchants using standalone, PTS-approved payment terminals without electronic data storage Key Requirements:

  • Physical security for payment devices
  • Terminal firmware updates every three months
  • Prohibition of wireless network connectivity

SAQ B-IP

Applies to: Internet-connected payment terminals without data storage Additional Controls:

  • Network segmentation of payment systems
  • Encryption of internet transmissions (TLS 1.2+)
  • Multi-factor authentication for administrative access

SAQ C-VT

Applies to: Virtual terminal users processing single transactions via third-party platforms Critical Obligations:

  • Session timeout after 15 minutes of inactivity
  • Prohibition of card data storage in browsers or logs
  • Annual security awareness training for staff

SAQ D

Applies to: Merchants with custom payment integrations or partial data handling Expanded Requirements:

  • Full implementation of 12 PCI DSS requirements
  • Annual internal vulnerability scans
  • Access control policies for cardholder data environments

Attestation of Compliance (AoC) Signature Requirements

For Level 4 merchants, the AoC requires:

  • Executive Attestation: CEO, CFO, or equivalent officer must sign, affirming organizational commitment to PCI DSS
  • QSA Optional: No mandatory QSA involvement unless required by acquirer

This single-signature model balances accountability with operational efficiency for small businesses.

Additional Compliance Considerations

Technology Infrastructure

  • Point-to-Point Encryption (P2PE): Reduces SAQ scope when using validated solutions
  • Tokenization: Lowers compliance burden by eliminating card data storage
  • Cloud Services: Requires validation of CSP compliance (e.g., AWS, Azure PCI reports)

Staff Training

  • Annual security awareness programs covering:
    • Phishing identification
    • Password management
    • Incident reporting procedures

Documentation Practices

  • Maintain records of:
    • SAQ versions and completion dates
    • ASV scan reports
    • Third-party compliance certifications

Consequences of Non-Compliance

Financial Penalties

  • Acquirer Fines: $5,000–$50,000 monthly until remediation
  • Card Brand Assessments: Additional penalties up to $100 per compromised record

Operational Impacts

  • Transaction processing suspension
  • Loss of ability to accept premium credit cards
  • Mandatory forensic audits at merchant expense

Reputational Damage

  • Public disclosure requirements for breaches
  • Loss of customer trust impacting <20% revenue for SMBs
  • Exclusion from partner programs requiring PCI compliance

Conclusion

PCI DSS compliance for Level 4 merchants establishes essential security foundations while accommodating smaller organizational scales. The SAQ framework enables tailored validation processes, with requirements ranging from basic third-party verification (SAQ A) to comprehensive controls (SAQ D). By adhering to quarterly scanning, annual self-assessment, and executive attestation, Level 4 merchants mitigate breach risks while maintaining payment processing capabilities.

Emerging technologies like P2PE and tokenization continue to reduce compliance burdens, allowing small businesses to focus on growth while meeting critical security standards. Regular reviews of transaction volumes and SAQ eligibility ensure continued alignment with PCI DSS requirements as organizational needs evolve.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy