PCI DSS Level 3 And Impact on Merchants•

PCI DSS Level 3 And Impact on Merchants

See it in action
By Max Edwards | Updated 21 February 2024

PCI DSS Level 3 is designated for merchants processing 20,000 to 1 million e-commerce transactions annually. These entities are required to complete an annual Self-Assessment Questionnaire (SAQ) to evaluate their compliance with PCI DSS standards and undergo quarterly network scans by an Approved Scan Vendor (ASV), ensuring robust security measures are in place to safeguard cardholder data in online transactions.

Jump to topic

PCI DSS and Its Impact on Level 3 Merchants

As a business handling cardholder data, understanding the Payment Card Industry Data Security Standard (PCI DSS) is crucial. With the introduction of PCI DSS 4.0, there are new technical and operational standards that your business must adhere to, especially if you’re classified under Level 3.

The Technical & Operational Changes in PCI DSS 4.0

PCI DSS 4.0 brings forth advancements in security protocols and operational procedures to counter new threats. Compared to its predecessor, version 4.0 emphasises customised implementation, allowing businesses like yours to adapt the standards to your unique environment while maintaining robust security.

Implications for Level 3 Merchants

If you’re a Level 3 merchant, processing between 20,000 to 1 million e-commerce transactions annually, the new version means you’ll need to reassess your compliance strategies. This includes adopting updated security measures such as enhanced encryption and continuous monitoring.

Ensuring Compliance with Updated Requirements

To meet these updated requirements, you’ll need to complete a Self-Assessment Questionnaire (SAQ) tailored to Level 3 merchants. This will involve a thorough review of your security controls and processes to ensure they align with the new standards.

Transition Support with ISMS.online

At ISMS.online, we understand the challenges you face during this transition. Our platform is designed to facilitate your move to PCI DSS 4.0, providing you with a pre-configured Integrated Management System (IMS) that aligns with the updated standards. We offer dynamic risk management tools and robust policy and control management to ensure you're not just compliant, but also secure.

Book a demo

Understanding Merchant Levels and Transaction Volumes

As you navigate the complexities of PCI DSS 4.0, understanding your classification as a merchant is crucial. For Level 3 merchants, the transaction volume thresholds are specific: you fall into this category if you process 20,000 to 1 million e-commerce transactions annually. It’s not just about e-commerce, though; if you handle fewer than 20,000 e-commerce transactions but over a million transactions across all channels, you’re also considered Level 3.

Who Determines Your Merchant Level?

The classification of merchant levels is typically determined by your acquiring bank, based on your annual transaction volume. This classification is not arbitrary; it’s a reflection of the risk and volume of cardholder data you manage.

Consequences of Misclassification

Misclassifying your business’s transaction volume can have significant implications. If you underestimate your transaction volume, you may not implement the necessary security measures, leaving you vulnerable to breaches. Conversely, overestimating could mean unnecessary compliance costs.

The Impact of Accurate Classification

Accurate classification is integral to maintaining compliance and establishing security trust. It ensures that you’re implementing the appropriate level of security measures for your transaction volume. At ISMS.online, we understand the importance of this classification and provide the tools and support to help you determine your correct merchant level, ensuring that your compliance efforts are well-directed and effective.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Navigating the Compliance Requirements for Level 3 Merchants

As a Level 3 merchant, you’re tasked with adhering to the PCI DSS 4.0 standards, which are designed to protect cardholder data and prevent fraud. Compliance is not just a mandate; it’s a commitment to your customers’ security and your business’s integrity.

Specific Actions for Compliance

To comply with PCI DSS 4.0, you must complete a Self-Assessment Questionnaire (SAQ), undergo quarterly network scans by Approved Scanning Vendors (ASVs), and ensure all security measures are up to date. These actions are critical in safeguarding cardholder data and maintaining trust in your payment processing.

The 12 Requirements and 6 Goals

The 12 requirements of PCI DSS 4.0, structured around 6 goals, are applicable to all merchants, including those at Level 3. These requirements range from maintaining a secure network to regularly monitoring and testing networks. Each requirement is designed to fortify different aspects of your payment card operations.

Sub-Requirements to Focus On

For Level 3 merchants, it’s essential to focus on sub-requirements that pertain to your specific transaction volume and business model. This includes implementing strong access control measures, maintaining an information security policy, and managing vulnerabilities.

ISMS.online’s Support for Compliance

At ISMS.online, our Integrated Management System is tailored to support your compliance journey. We provide a structured framework that aligns with the 12 requirements, simplifying the process of meeting each one. Our platform facilitates the management of policies, risk assessments, and compliance documentation, making it easier for you to achieve and maintain PCI DSS 4.0 compliance.


The Role of Self-Assessment Questionnaires (SAQ) in Compliance

For Level 3 merchants, the Self-Assessment Questionnaire (SAQ) is a pivotal component of the PCI DSS compliance process. It serves as a self-validation tool to assess security measures and policies in place for protecting payment card data.

Frequency of SAQ Submission for Level 3 Merchants

Level 3 merchants are required to complete and submit an SAQ annually. This regular self-assessment ensures that merchants continually adhere to the PCI DSS standards and adapt to any changes in their payment environment or the standard itself.

Key Components of an SAQ for Level 3 Merchants

An SAQ for Level 3 merchants typically includes:

  • A thorough assessment of your cardholder data environment.
  • Validation of compliance with each applicable PCI DSS requirement.
  • Documentation of any compensating controls in place.
  • Attestation of Compliance (AOC), which is a formal declaration of your compliance status.

Streamlining the SAQ Process with ISMS.online

At ISMS.online, we understand that completing an SAQ can be a complex task. Our platform simplifies this process by:

  • Providing pre-configured templates that align with PCI DSS requirements.
  • Enabling document management for easy organisation and retrieval of evidence.
  • Facilitating dynamic risk management tools to identify and mitigate any compliance gaps.

By leveraging our services, you can ensure that your SAQ is completed accurately and efficiently, maintaining the trust of your customers and the integrity of your business.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Reporting and Validation

As a Level 3 merchant, you’re required to demonstrate your adherence to PCI DSS 4.0 standards through specific reporting and validation mechanisms. This process is essential for maintaining the security of cardholder data and ensuring the integrity of your payment systems.

Required Reports for Level 3 Merchant Compliance

You must complete an annual Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC). Additionally, you’re required to undergo quarterly network scans by an Approved Scanning Vendor (ASV) to validate your compliance status.

Verifying Compliance for Level 3 Merchants

The responsibility for verifying your compliance lies with your acquiring bank. They may request additional documentation or evidence of compliance to ensure that all PCI DSS requirements are being met consistently.

The Role of Acquiring Banks and Approved Vendors

Acquiring banks and approved vendors play a critical role in the compliance process. They provide guidance, support, and verification services to ensure that you meet the necessary standards. Acquiring banks, in particular, are your primary point of contact for compliance reporting and validation.

Simplifying Compliance with ISMS.online

At ISMS.online, we provide tools and resources to streamline your compliance efforts. Our platform offers:

  • Document management systems to organise and maintain necessary compliance records.
  • Dynamic risk management tools to help you identify and address any compliance gaps.
  • Transparent reporting features to facilitate clear communication with acquiring banks and other stakeholders.

By utilising our services, you can ensure a smoother and more efficient path to PCI DSS 4.0 compliance.


Regular Network Scans and Security Tests

For Level 3 merchants, conducting regular network scans and security tests is not just a compliance requirement; it’s a proactive measure to ensure the safety of cardholder data. These scans are critical in identifying vulnerabilities before they can be exploited.

Quarterly Network Scans: A Cornerstone of Security

Quarterly network scans are mandated by the PCI DSS for all merchants, including those at Level 3. These scans must be performed by an Approved Scanning Vendor (ASV) to ensure they meet the rigorous standards set by the PCI SSC. The purpose of these scans is to detect any vulnerabilities in your network that could be potential entry points for cyber attackers.

Security Tests: Beyond the Basics

In addition to network scans, you’re expected to conduct regular security tests, including penetration testing and vulnerability assessments. These tests should be performed at least annually or after any significant changes to your network. They are essential for a more in-depth analysis of your security posture.

Maintaining a Robust Security Posture

These scans and tests are integral to maintaining a robust security posture. They help you to stay ahead of new threats and ensure that your security measures are effective and up to date.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Consequences of Non-Compliance

Non-compliance with PCI DSS 4.0 can have serious implications for your business. As a Level 3 merchant, it’s imperative to understand the potential consequences to ensure you prioritise and maintain compliance.

Fines and Penalties for Non-Compliance

If you fail to comply with PCI DSS 4.0, you could face:

  • Fines ranging from $5,000 to $100,000 per month from credit card companies.
  • Penalties imposed by acquiring banks, which may include higher transaction fees or even termination of services.

Impact on Payment Processing Capabilities

Non-compliance can lead to:

  • Restrictions on your ability to process credit card payments.
  • Revocation of your privilege to accept card payments, severely impacting your business operations.

Reputational Risks

The reputational damage from a data breach due to non-compliance can be devastating. It can lead to:

  • Loss of customer trust, which is difficult to rebuild.
  • Negative publicity, affecting your brand and customer loyalty.

Regulatory Oversight

Non-compliance can also result in:

  • Increased scrutiny from regulatory bodies like the Federal Trade Commission (FTC).
  • Mandatory audits and oversight, leading to additional costs and resource allocation.

At ISMS.online, we understand these risks and provide a comprehensive platform to help you navigate the complexities of PCI DSS 4.0 compliance, ensuring that you avoid these potential pitfalls.


PCI DSS Merchant Level Table

PCI DSS Merchant LevelTransactions Per Year
PCI DSS Merchant Level 1Over 6 million
PCI DSS Merchant Level 2Between 1 to 6 million per year
PCI DSS Merchant Level 3Between 20,000 to 1 million per year
PCI DSS Merchant Level 4Fewer than 20,000 per year

Further Reading

Transitioning to PCI DSS 4.0

The transition to PCI DSS 4.0 is a significant milestone for Level 3 merchants, and it’s essential to be aware of the timeline and preparation steps to ensure a smooth transition.

Preparing for the Transition from 3.2.1 to 4.0

As you prepare to transition from PCI DSS version 3.2.1 to 4.0, consider the following steps:

  • Review the new standard to understand the changes and how they affect your business.
  • Assess your current compliance status to identify gaps that need addressing under the new version.
  • Plan updates to your security controls to meet the enhanced requirements of PCI DSS 4.0.

Incorporating Feedback and Addressing New Threats

Version 4.0 introduces mechanisms to address new threats and incorporates feedback from the industry. As a Level 3 merchant, you should:

  • Stay informed about emerging threats and how they may impact your compliance.
  • Engage with the PCI community to share feedback and learn from others’ experiences.

Customising Implementation of New Standards

PCI DSS 4.0 offers flexibility for merchants to customise their implementation. At ISMS.online, we can assist you in:

  • Tailoring security measures to fit your business model while maintaining compliance.
  • Utilising our platform to adapt the pre-configured IMS to the specific needs of your organisation.

By following these guidelines, you can ensure that your transition to PCI DSS 4.0 is well-planned and executed, keeping your business secure and compliant.


Encryption and Tokenization

In terms of PCI DSS compliance, encryption and tokenization are not just buzzwords; they are essential technologies that fortify the security of cardholder data. As a Level 3 merchant, understanding and implementing these technologies is crucial for safeguarding customer information.

The Support of Encryption and Tokenization in PCI DSS Compliance

Encryption translates cardholder data into a secure code, while tokenization replaces sensitive data with a unique identifier. Both methods are critical in preventing unauthorised access to cardholder information, thus supporting PCI DSS compliance efforts.

Benefits of Encryption and Tokenization

By employing encryption and tokenization, you’re not only meeting compliance standards but also:

  • Enhancing data security by making it unreadable to unauthorised parties.
  • Reducing the risk of data breaches, which can have severe financial and reputational consequences.

Addressing Authentication, Encryption, and Monitoring in PCI DSS 4.0

Version 4.0 of PCI DSS places a strong emphasis on authentication measures, ensuring that only authorised individuals have access to cardholder data. It also mandates robust encryption practices and continuous monitoring to detect and respond to security incidents promptly.

The Role of Data Governance in Compliance

Effective data governance ensures that data protection measures are not just implemented but also managed and maintained over time. It involves:

  • Regularly reviewing and updating security protocols.
  • Monitoring compliance with PCI DSS standards.
  • Ensuring that all staff are trained and aware of their roles in data protection.

At ISMS.online, we provide the framework and tools necessary for you to manage these aspects of data governance, helping you maintain PCI DSS compliance with confidence.



ISMS.online PCI DSS Compliance Solution

Navigating PCI DSS 4.0 compliance can be intricate, especially for Level 3 merchants with specific needs. At ISMS.online, we offer tailored solutions to streamline this process.

Pre-Configured IMS Benefits

Our pre-configured Integrated Management System (IMS) benefits Level 3 merchants by:

  • Simplifying the compliance journey with structured frameworks that align with PCI DSS requirements.
  • Reducing the time and effort needed to establish compliance processes.
  • Providing clear guidance on implementing the necessary controls and procedures.

Guided Certification Processes

We offer guided certification processes that include:

  • Step-by-step assistance to navigate the complexities of PCI DSS 4.0.
  • Expert support to address specific challenges faced by your business.
  • Customisable workflows that adapt to your unique operational needs.

Ensuring Comprehensive Compliance Assurance

To ensure staff and supplier compliance assurance, ISMS.online provides:

  • Supplier management tools to verify and manage third-party compliance.
  • Continuous monitoring to maintain compliance standards over time.

Transparent Reporting Features

Our platform supports PCI DSS 4.0 compliance with transparent reporting features that allow you to:

  • Generate and share reports with stakeholders effortlessly.
  • Demonstrate due diligence with a comprehensive audit trail.

For personalised assistance and to discover how our platform can support your PCI DSS 4.0 compliance efforts, please contact us. We are here to help you secure your transactions and protect your customers' data.

Book a demo

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Streamline your workflow with our new Jira integration! Learn more here.