The Payment Card Industry Data Security Standard’s (PCI DSS) compliance Level 3 applies to mid-size merchants that, generally speaking, process between 20,000 and 1 million credit card transactions per year.

As is the case with all the PCI compliance levels, however, the exact number of transactions qualifying a merchant for Level 3 depends largely on which credit cards that merchant accepts. Also, for Level 3, the number of e-commerce transactions versus in-store transactions matters, as well.

What is PCI DSS?

The PCI Security Standards Council (PCI SSC), representing financial institutions, merchants, processor companies, software developers, and point-of-sale vendors, developed PCI DSS in 2004 to safeguard credit card and cardholder data against breach and other forms of unauthorized access.

To process, store, or transmit credit card data, merchants and payment or internet service providers must be PCI compliant. Otherwise, they face strict penalties including fines and possible loss of credit card privileges.


Am I a PCI Level 3 Merchant? 

If your organization meets any of these criteria, it qualifies as a PCI Level 3 merchant:

  • Processes between 20,000 and 1 million Visa e-commerce transactions annually
  • Processes 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually
  • Processes between 20,000 and 1 million Discover “card-not-present” (e-commerce)  transactions annually
  • Processes fewer than 50,000 American Express transactions annually

Note that card provider JCB has no Level 3. All merchants processing fewer than 1 million JCB transactions per year qualify as Level 2 merchants.


How Does a Level 3 Merchant Achieve PCI DSS Compliance?

Unlike Level 1 merchants, Level 3 merchants do not require a yearly onsite audit by a Qualified Security Assessor or Internal Security Assessor or the resulting Record of Compliance (ROC) to establish itself as PCI DSS compliant.

The validation requirements for a Level 3 merchant are the same as those for Level 2 merchants:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by an Approved Scan Vendor (ASV)
  • Attestation of Compliance form

Although Level 3 merchants are not required to commission an on-site audit or obtain a ROC, some may choose to do so to boost their business profile or ensure that their cardholder data environment is completely secure.


Payment and internet service providers for merchants and financial institutions also must validate their PCI DSS compliance, but there is no compliance Level 3 for service providers. Instead, those that process fewer than 300,000 payment card transactions per year qualify as Level 2 service providers.