Skip to content ↓ | Skip to navigation ↓

To distinguish the size of merchant companies and appropriately determine the level of testing required, the founding credit card companies created four different brackets ranging from Tier 1 to 4.

Each tier is based on the number of transactions processed per year by the merchant and also dictates the testing a merchant must undertake. While transactions are the primary determiner, a merchant can also be made Tier 1 at the major credit card company’s discretion if they have suffered a cyber breach.

PCI DSS Merchant Levels

  • Level 1: Any merchant processing 6 million+ transactions per year across all channels or any merchant that has had a data breach. Credit card companies can also upgrade any merchant to Level 1 at their discretion.
  • Level 2: Any merchant processing between 1-6 million transactions per year across all channels.
  • Level 3: Any merchant processing between 20,000 and 1 million e-commerce transactions per year.
  • Level 4: Any merchant processing less than 20,000 e-commerce transactions per year or any merchant processing up to 1 million regular transactions per year.

The levels are relatively self-explanatory; the more transactions you process, the higher the tier. The only thing to be aware of is Levels 3 and 4, which concern e-commerce (online) and mean you could go straight from Level 4 to Level 2, bypassing Level 3, depending on your business and number of transactions.

Do I need penetration testing?

As a penetration tester, I would recommend testing your systems for the sake of security rather than for achieving PCI DSS compliance. (If you secure your systems beyond what is mandated by PCI DSS, you’ll achieve compliance by default anyway and be more secure in the process.)

All tiers apart from Tier 1 will need to complete a self-assessment questionnaire (SAQ). The type of SAQ you’ll require is dependent on what type of merchant you are and how you handle credit card payments. (For example, if you outsource payment processing to a PCI DSS-compliant third party.)

Depending on your SAQ category, you may be able to avoid penetration testing altogether and still be PCI compliant. For instance, if you are SAQ category A, you don’t need to perform external scanning or testing.

Generally, the minimum requirement in addition to the SAQ is a quarterly external vulnerability scan using an Approved Scanning Vendor (ASV). Depending on merchant tier and SAQ type, you may also need to have additional annual internal and external penetration testing, as well as an assessment of any web applications.

For merchant service providers, you’ll need to perform testing every six months rather than the annual requirement for merchants.

If you fall under a SAQ category that requires testing, you will also be required to perform additional testing after any significant changes made to the Cardholder Data Environment (CDE). While ‘significant change’ has a degree of interpretation, it should be considered as a change made to any infrastructure that, if compromised, could have an impact on Cardholder Data (CHD).

As a simple rule of thumb – if in doubt, get it tested. It’s better to have done too much than too little in terms of scanning and testing your applications, and it can’t hurt to be more secure.


Alec AuerAbout the Author: Alec Auer, BA (Hons) AMBCS OSCP CRT has been a penetration tester with First Base Technologies for several years and conducts various types of penetration and compliance testing, including web application and internal infrastructure, email phishing and Cyber Essentials. He has also achieved the Offensive Security Certified Professional (OSCP) qualification and is a CREST Registered Tester.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.