Am I a level 1,2,3 or 4 merchant?

There are four different merchant levels for PCI DSS, and the compliance program to be followed (and the degree of complexity involved with being compliant) depends on the classification level of your organisation. The level of your organisation is dependent upon the number of payment (inclusive of credit, debit and prepaid) transactions processed annually for each of the governing payment card providers. This is set by the card providers and not by the PCI DSS Security Standards Council.

An explanation of each level for each card provider is outlined below:
American Express:

As an example, here are the levels from VISA:

VISA PCI levels

1 – Compromised entities may be escalated at regional discretion

2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

Posted in FAQ.