What merchants need to know about securing transactions

Find out how to store, process and transmit payment data securely

All merchants that store, process or transmit cardholder data must be PCI compliant. Each merchant that is categorized as a Level 1, Level 2 or Level 3 merchant is required to report its compliance status directly to its acquiring bank.

Determining merchant level often raises questions. Mastercard recommends that merchants contact their acquiring bank and with assistance from the bank, merchants can then complete the following steps:

  • Determine merchant level using Mastercard transaction volume from the most recent 52-week period

  • Confirm necessary PCI validation requirements 

  • Engage an approved vendor, as appropriate, and follow the validation procedures

Once a merchant has been verified as PCI compliant, the merchant must submit the validation requirements to its acquiring bank, which then will report the merchant’s compliance status to Mastercard.

Reduce the risk of account data compromise

Choose a PCI-compliant service provider

Category Criteria Requirements
Level 1
  • Any merchant that has suffered a hack or an attack that resulted in an Account Data Compromise (ADC) Event
  • Any merchant having more than six million total combined Mastercard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that Mastercard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
  • Annual Onsite Assessment1
  • Quarterly Network Scan conducted by an ASV2
Level 2
  • Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa
  • Annual Self-Assessment3
  • Onsite Assessment at Merchant Discretion3
  • Quarterly Network Scan conducted by an ASV2
Level 3
  • Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa
  • Annual Self-Assessment
  • Onsite Assessment at Merchant Discretion4
  • Quarterly Network Scan conducted by an ASV2
Level 4
  • All other merchants5
  • Annual Self-Assessment
  • Onsite Assessment at Merchant Discretion4
  • Quarterly Network Scan conducted by an ASV2
  1. Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.
  2. Quarterly network scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).
  3. Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire.
  4. Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA for an onsite assessment instead of performing a self-assessment.
  5. Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required.

Understand the Validation Requirements for Merchants

Onsite or Self-Assessment 

A detailed assessment performed by a PCI SSC certified Qualified Security Assessor (QSA) or by a certified Internal Security Assessor (ISA). The assessment validates to the acquirer that the organization is handling card data in accordance with the Payment Card Industry Data Security Standards (PCI DSS).

Applies to: Level 1 and 2 Merchants

Self-Assessment Questionnaire (SAQ)

Validation tool primarily used by merchants and service providers not required to undergo an onsite assessment in self-evaluating their compliance with the PCI DSS.

Applies to: Levels 2, 3 and 4 Merchants

External Vulnerability Scan

Vulnerability Scanning performed by a PCI SSC Approved Scanning Vendor (ASV) of all Internet–facing system components that are a part of, or provide a path to, the cardholder data environment.

Applies to: All Merchants (as applicable)