Merchant reporting levels

- [Instructor] In this video, you will learn about the various merchant levels associated with PCI and what this means to each merchant when it comes to providing attestation of PCI compliance. Merchants are classified based on annual transaction levels of card present, or not present purchases. You can expect to receive notification of your level from your acquiring bank or even your payment processor. If you don't, you can estimate your level based on volume until you do hear from them. The levels go from level four to level one, which is the smallest merchant at less than 20,000 transactions per year to the largest at over 6 million per year. Transaction levels can be viewed collectively for organizations associated with a parent brand. So even if you're a small organization, if you are part of a larger group you may have your level artificially raised. Each of these different levels may have different reporting requirements which we'll discuss in a later slide. No matter how many transactions your organization processes annually, if you experience a data breach where PCI scope data is compromised, or if the PCI Security Standards Council decides your level one, then you are level one. PCI merchant levels are essentially at the discretion of the acquiring banks or the council. The key thing to remember is that it's not the merchant level you are at, which defines which PCI standards that you have to meet, it's the PCI scope which we will discuss later. I've often heard, oh, they're level four so they don't have to meet all the level one requirements. This simply isn't accurate. Expect to start with all requirements in your scope until you can clearly identify them out of scope based on your data flow diagram, and whether or not you store account data or use particular types of payment hardware. The level requirements relate to transaction count and subsequent recording needs not to the technical requirements that have to be met. All levels have to meet all requirements unless those requirements are deemed out of scope, as mentioned. Essentially, merchant levels are externally provided and not up to the individual merchant. If you haven't been told your level, you have to make a best guess. But it's helpful to be realistic in your estimation so that you don't get a nasty surprise when you hear from your acquiring bank. Remember that your level doesn't affect your requirements. Just who can complete the paperwork. Your PCI scope will remain the same either way. Now let's talk about how to report compliance with PCI.