PCI: Merchant Account Levels

PCI compliance is about mitigating risk and loss in the event of a compromise of cardholder data.  As such, Visa has different Merchant Levels based upon the volume of transactions a company handles.  You can read Visa’s website page about their levels here:


Determining your merchant account level is relatively straight forward based on the table provided in the link above.  However, it is important to remember that Visa (and all of PCIPCI-DSS Compliance) is concerned with credit card data.  Your Merchant Level will be affected by the method with which you accept, process, and store cardholder data.  Let’s look at two examples.


Example 1 – Using In-House Systems:  Let’s say company XYZ has a website to showcase their products, and chooses to use their own Shopping Cart solution.  They choose this method because the cart they selected is either inexpensive or free (open source).  When XYZ sells a product online, the cardholder data is transmitted to their server(s), processed by their shopping cart, and stored by their database.  Company XYZ has hit the PCI trifecta: they transmit, process, and store cardholder data.  Performing even one of those requires full PCI-DSS compliance of their systems.  Visa may consider them a Merchant Level 4 (lowest level) but all of their systems will have to conform to the expansive PCI-DSS requirements.


Example 2 – Using A Hosted Solution:  Company XYZ showcases their products on their website, and uses a PCI Compliant solution such as Cart32 for their shopping cart.  When XYZ sells a product online, the cardholder data is transmitted to, processed by, and stored by Cart32’s systems.  This relieves XYZ from virtually all PCI-DSS requirements. XYZ never has to see cardholder data to sell products online.  Again Visa may consider them a Merchant Level 4, but now they simply need to submit an Attestation of Compliance once a year and then rely on their host (e.g. Cart32) to handle the PCI-DSS requirements on the host’s systems.


Some merchants may have a genuine need to keep their systems in-house, but many others do it in an attempt to save money.  However, the cost of maintaining your own PCI compliance will usually far outweigh the hosted solutions offered by companies like Cart32.  Remember, even a company with a Merchant Level of 4 is still required to adhere to all PCI-DSS requirements on all systems transmitting, processing, or storing cardholder data.


Regardless of the path you choose make sure you’re covered.  Don’t file your Attestation of Compliance and then go on to ignore the PCI-DSS requirements.  You could be heavily fined or simply refused service by the Card Brands for any compromises or violations.  If you’re unsure, talk to us!  We’ve been helping merchants small and large for fifteen years and we’re happy to talk you through your business’s needs as well.

Leave a Reply

Log in