The Payment Card Industry Data Security Standard’s (PCI DSS) compliance Level 3 applies to mid-size merchants that, generally speaking, process between 20,000 and 1 million credit card transactions per year.

As is the case with all the PCI compliance levels, however, the exact number of transactions qualifying a merchant for Level 3 depends mainly on which credit cards that merchant accepts. Also, for Level 3, the number of e-commerce transactions versus in-store transactions matters.

What is PCI DSS?

The PCI Security Standards Council (PCI SSC), representing financial institutions, merchants, processor companies, software developers, and point-of-sale vendors, developed PCI DSS in 2004 to safeguard credit card and cardholder data against breach and other unauthorized access.

To process, store, or transmit credit card data, merchants and payment or internet service providers must be PCI compliant. Otherwise, they face strict penalties, including fines and possible loss of credit card privileges.

What is the difference between PCI Level 2 and Level 3?

The PCI Data Security Standard has different PCI DSS compliance levels that merchants and service providers must adhere to, depending on their transaction volume. PCI Level 2 has more stringent security requirements than Level 3.

The critical differences between PCI Level 2 and Level 3 include:

  • Level 2 requires quarterly network scans by an Approved Scanning Vendor (ASV), while Level 3 only requires annual scans.
  • Level 2 requires annual penetration testing, but this is not a requirement for Level 3.
  • Level 2 merchants must use 2-factor authentication for remote access to the cardholder data environment, but Level 3 does not have this exact requirement.
  • Level 2 has required procedures for personnel and processes like background checks, while these are recommended but optional for Level 3.

Overall, PCI Level 2 compliance has more advanced security requirements appropriate for higher transaction volumes. Level 3 is designed for smaller merchants handling under 20,000 Visa e-commerce transactions or 1 million Visa transactions total per year.

What are the benefits of PCI Level 3 compliance?

Achieving PCI Level 3 compliance provides several key benefits for small merchants and service providers, including:

  • It validates compliance with baseline PCI data security standards for protecting cardholder data and card information. This helps minimize risk and potential damage from a data breach.
  • Meeting requirements for third-party compliance validation. This is necessary for obtaining merchant accounts and payment processing services.
  • Avoiding non-compliance fines and penalties.
  • Maintaining a positive reputation and trust with customers for taking security seriously.
  • Access to resources and tools provided by the PCI Security Standards Council (PCI SSC) to assist with ongoing PCI DSS compliance.
  • Ongoing reminders and guidance for maintaining good security practices like strong passwords, anti-virus software, restricted access, and network protections.

PCI Level 3 compliance establishes security best practices appropriate for smaller businesses to help them safely accept credit card and debit card payments.

What is a PCI Level 3 service provider?

A PCI Level 3 service provider is a business that stores, processes, or transmits less than 300,000 Visa transactions or 1 million Visa transactions annually. They also must adhere to the PCI Data Security Standard (PCI DSS).

Examples of PCI Level 3 service providers include:

  • Web hosting companies
  • Payment gateways
  • IT support firms
  • Credentials management providers
  • Shopping cart providers
  • Other businesses supplying payment-related services to merchants

To validate compliance, PCI Level 3 service providers must complete an annual Self-Assessment Questionnaire (SAQ) and network scans. They may also undergo validation requirements from their customers. Maintaining PCI compliance is mandatory for service providers to operate within the payments industry.

Am I a PCI Level 3 Merchant? 

If your organization meets any of these criteria, it qualifies as a PCI Level 3 merchant:

  • Processes between 20,000 and 1 million Visa e-commerce transactions annually
  • Processes 20,000 Mastercard e-commerce transactions annually but less than or equal to 1 million total Mastercard transactions annually
  • Processes between 20,000 and 1 million Discover “card-not-present” (e-commerce)  transactions annually
  • Processes fewer than 50,000 American Express transactions annually

Note that card provider JCB has no Level 3. All merchants processing fewer than 1 million JCB transactions yearly qualify as Level 2 merchants.

What is required for Level 3 PCI compliance?

There are specific PCI compliance requirements merchants must meet to achieve PCI Level 3 validation. This level applies to merchants processing 1-6 million total credit card transactions annually across all card brands like Visa, Mastercard, American Express, and Discover.

Key PCI Level 3 compliance requirements include:

  • Completing an annual Self-Assessment Questionnaire (SAQ) to evaluate compliance with PCI data security standards. SAQ D is commonly used for merchants handling credit card data in their systems.
  • Passing quarterly network scans by an Approved Scanning Vendor (ASV) to check for vulnerabilities.
  • Using and maintaining a firewall to protect the cardholder data environment.
  • Preventing storage of sensitive payment card data like magnetic stripe information, PINs, or CVV codes.
  • Securing systems and protecting cardholder information according to defined PCI information security standards.
  • Working with an acquiring bank or Qualified Security Assessor (QSA) to validate compliance, if applicable.
  • Submitting an annual Attestation of Compliance (AOC) form to the payment brands.
  • Completing all applicable PCI DSS requirements for Level 3 merchants and service providers.

The PCI compliance process aims to uphold data security best practices for organizations handling credit, debit, and prepaid card transactions. Achieving and maintaining Level 3 compliance helps minimize risk and safeguard sensitive cardholder information.

How Does a Level 3 Merchant Achieve PCI DSS Compliance?

Unlike Level 1 merchants, Level 3 merchants do not require a yearly onsite audit by a Qualified Security Assessor or Internal Security Assessor or the resulting Record of Compliance (ROC) to establish itself as PCI DSS compliant.

The validation requirements for a Level 3 merchant are the same as those for Level 2 merchants:

  • Annual Self-Assessment Questionnaire
  • Quarterly network scan by an Approved Scan Vendor (ASV)
  • Attestation of Compliance form

Although Level 3 merchants are not required to commission an on-site audit or obtain an ROC, some may choose to do so to boost their business profile or ensure that their cardholder data environment is completely secure.

Payment and internet service providers for merchants and financial institutions also must validate their PCI DSS compliance, but there needs to be compliance Level 3 for service providers. Instead, those that process fewer than 300,000 payment card transactions per year qualify as Level 2 service providers.

Meet your compliance goals with ZenGRC

Simplify your PCI compliance process with ZenGRC’s intuitive software. Effortlessly manage assessments, controls, and documentation while reducing costs. 

Our quality software simplifies the process, offering precise requirements and intuitive tools for efficient documentation management. Pre-loaded templates guide you through every step, reducing your team’s workload.

See how ZenGRC transforms compliance. Request a demo today.