Who Determines Merchant Level?
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is simpler than it sounds. Your merchant level — which determines how much compliance work you’ll need to do — is based on how many transactions you process annually, and your acquiring bank or payment processor is who determines merchant level classification. The good news? Most small businesses are Level 4 merchants, which means you’ll complete a simple self-assessment questionnaire rather than undergo a full audit.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) exists for one reason: to protect credit card data from theft. If you accept credit cards — whether through a terminal, online, or over the phone — these security standards apply to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But they don’t enforce them directly. Instead, your acquiring bank or payment processor determines your merchant level and ensures you meet the appropriate compliance requirements. They’re the ones who sent you that questionnaire.
Think of it this way: the card brands set the rules, but your payment processor is the referee. They’ll require annual compliance validation, quarterly security scans if you process online, and documentation that you’re protecting cardholder data properly.
The consequences of non-compliance aren’t theoretical. Your payment processor can fine you monthly (typically $25-$100 for small merchants), increase your processing rates, or even terminate your ability to accept cards. If you experience a data breach while non-compliant, you could face liability for fraud losses and forensic investigation costs that can reach tens of thousands of dollars.
Here’s the good news: most small businesses qualify for the simplest compliance requirements. You won’t need to hire expensive consultants or undergo complex audits. You’ll answer a questionnaire, possibly run some automated scans, and implement basic security practices you should be doing anyway.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one million, whether you’re a food truck or a Fortune 500 company. Accept cards? You need to be PCI compliant.
Your merchant level depends on your annual transaction volume across all card brands combined. While the exact thresholds can vary slightly by card brand, here’s the general breakdown:
- Level 1: Over 6 million transactions annually
- Level 2: 1 to 6 million transactions annually
- Level 3: 20,000 to 1 million transactions annually
- Level 4: Under 20,000 transactions annually
Most small businesses fall into Level 4, which means you’ll self-assess your compliance using an SAQ (Self-Assessment Questionnaire) rather than hiring a QSA to conduct a formal audit. Your payment processor determines your merchant level based on the transaction data they have, though some acquirers may classify you differently based on their own risk policies.
When your payment processor sends you that annual compliance questionnaire, they’re fulfilling their obligation to the card brands. They need to verify that every merchant in their portfolio — including you — is protecting cardholder data appropriately. The questionnaire isn’t busy work; it’s their way of confirming you understand and follow basic security practices.
Which SAQ Do You Need?
The PCI DSS includes twelve requirements covering everything from firewalls to encryption to access controls. But here’s the thing: depending on how you accept payments, you might not need to worry about most of them. The SAQ you complete depends entirely on your payment setup.
Here’s how to figure out which SAQ applies to you:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Fully outsourced e-commerce (PayPal, Stripe Checkout) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | 41 | Simple |
| Terminals connected to your network | SAQ B-IP | 82 | Moderate |
| Manual card entry (virtual terminal, phone orders) | SAQ C-VT | 79 | Moderate |
| Card data enters your systems | SAQ D | 329+ | Complex |
If you use modern payment tools, you’re probably looking at one of the simpler SAQs:
- Square, Clover, or similar terminals: If your payment terminal connects to the internet through cellular or WiFi but doesn’t integrate with your other systems, you’ll likely complete SAQ B-IP.
- Shopify, WooCommerce with Stripe: If customers are redirected to a hosted payment page or the payment fields are served directly from your processor, you’ll complete SAQ A — the simplest one.
- Phone orders through a virtual terminal: If you log into a web page to enter card numbers but never store them, that’s SAQ C-VT.
- Old-school setups where you store card numbers: Please stop doing this. But if you must, you’re looking at SAQ D and significantly more work.
Not sure which applies? PCICompliance.com’s free SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which questionnaire you need. No guessing required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Each “yes” means you’ve implemented that specific control. Don’t overthink it — the questions are straightforward:
- “Do you change default passwords on payment systems?”
- “Do you have a firewall between your payment terminals and the internet?”
- “Do you restrict access to cardholder data to only those who need it?”
For most Level 4 merchants, completing your SAQ takes 30 minutes to a few hours, depending on your SAQ type. You’ll need to gather some basic documentation:
Network diagram: Don’t panic — for small merchants, this can be a simple sketch showing how your payment terminals or computers connect to the internet.
Security policies: Basic written procedures for password management, who can access payment systems, and what to do if you suspect a breach.
Vendor list: Any third-party services that touch payment data (your e-commerce platform, payment gateway, etc.).
Quarterly ASV scans: If you accept payments online, you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check your website and payment systems for security holes. They typically take 20-30 minutes to run and cost $50-150 per quarter.
Once you’ve answered all questions and gathered your documentation, you’ll generate an Attestation of Compliance (AOC). This is your formal declaration that you meet PCI requirements. Submit it to your payment processor through whatever portal or process they’ve specified, and you’re done — until next year.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your merchant level and payment setup:
Compliance platforms and tools: Most small merchants spend $200-600 annually on PCI compliance software that includes SAQ wizards, policy templates, and compliance tracking. Some payment processors include basic tools with your merchant account.
ASV scanning: If you need quarterly scans, budget $200-600 annually. Many compliance platforms bundle this with their other services.
QSA assessment: Only required for Level 1 merchants or if your acquirer specifically demands it. Full QSA assessments start around $15,000 for small environments.
Your time: The real cost for most small businesses. Plan on 4-8 hours annually for SAQ completion, plus time to implement any missing security controls.
Compare that to non-compliance costs: monthly fines from your processor ($25-100), increased transaction fees, potential breach liability (average small merchant breach costs $35,000-50,000), and the nuclear option — losing your ability to accept cards entirely.
For most small merchants, annual compliance costs less than what you’d pay in processor fines for just three months of non-compliance. It’s not just about checking boxes; it’s about protecting your business.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise. Your processor will require annual revalidation, and if you process online, you’ll need quarterly ASV scans. Mark your calendar now:
Annual tasks: Complete your SAQ, update your security policies, review user access, check that you’re using current software versions.
Quarterly tasks: Run ASV scans if required, review any new vulnerabilities, update passwords, check that fired employees no longer have access.
Ongoing practices: Train new employees on card data security, maintain your firewall, install security patches promptly, monitor for suspicious activity.
Certain changes trigger immediate reassessment: switching payment processors, adding new payment channels (like starting to accept phone orders), significantly increasing transaction volume, or experiencing a data breach. When in doubt, check with your acquirer.
PCICompliance.com’s compliance dashboard tracks all these deadlines for you. It sends reminders before scans are due, alerts you to new requirements, and maintains your compliance history in one place. No more scrambling when your processor asks for last year’s AOC.
FAQ
Who exactly determines merchant level — Visa, Mastercard, or my payment processor?
While each card brand sets its own merchant level thresholds, your acquiring bank or payment processor determines your merchant level for compliance purposes. They aggregate your total transaction volume across all card brands and classify you accordingly. Some acquirers may bump you up a level based on their own risk assessments.
What if I only process a few transactions per month?
Transaction volume doesn’t exempt you from PCI compliance. If you accept even one credit card payment annually, you need to comply. The good news is you’ll be a Level 4 merchant with the simplest requirements — likely just an annual SAQ A or B.
My payment processor says I need to be compliant but I use Square. Don’t they handle it?
Square (and similar providers) handle much of the technical security, but they don’t make you automatically compliant. You still need to complete an annual SAQ, implement physical security for your terminals, and follow basic security practices. Square reduces your scope but doesn’t eliminate it.
How do acquirers verify merchant levels?
Your acquirer already knows your transaction volume — they process your payments. They’ll automatically classify you based on this data and notify you of your merchant level when requesting annual compliance validation. If you process through multiple acquirers, each may classify you differently based on the volume they see.
What happens if my transaction volume increases significantly?
If your volume pushes you into a higher merchant level, your acquirer will reclassify you at your next annual review. This might mean moving from a simple SAQ to a more complex one, or from self-assessment to requiring a QSA audit. Monitor your growth and plan accordingly.
Can I just ignore the compliance questionnaire from my processor?
Technically yes, but it’s a expensive mistake. Your processor will likely start fining you monthly, increase your processing rates, and potentially terminate your merchant account. Finding a new processor after being terminated for non-compliance is difficult and expensive.
Do I need to hire a QSA as a small merchant?
Probably not. Level 3 and 4 merchants typically self-assess using an SAQ. Only Level 1 merchants (and some Level 2) require formal QSA assessments. If you’re reading this guide wondering about basics, you’re almost certainly able to self-assess.
What if I only accept payments at trade shows or farmers markets?
Mobile and temporary merchants still need PCI compliance. If you use a mobile card reader (Square, PayPal Here, etc.), you’ll likely complete SAQ B. The requirements are minimal but not optional — your processor still expects annual validation.
Conclusion
Finding out you need to be PCI compliant can feel overwhelming, especially when you’re just trying to run your business. But here’s the truth: for most small merchants, achieving compliance is straightforward and affordable. Your payment processor determines your merchant level based on your transaction volume, and as a Level 4 merchant, you’ll complete a simple self-assessment questionnaire that takes a few hours per year.
The key is understanding what applies to your specific situation and having the right tools to guide you through it. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You don’t need to become a security expert or hire expensive consultants. Start with our free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants just like you navigate PCI compliance without the confusion or complexity.
