Regarding PCI DSS merchant levels, it is paramount that these very merchants properly identify the level they fall under for compliance with PCI DSS. Most merchants will be able to undergo their own payment card industry data security standards (PCI DSS) self assessment questionnaire (SAQ). However, many will also be required to conduct and go through an annual on-site assessment by a Qualified Security Assessor (QSA).
Again, this all depends on the merchant levels and you have to understand that these PCI DSS merchant levels are different for each of the respective payment brands. So, let’s take a closer look at this.
Discover Card: They do not even use merchant level categories, rather, they use a risk based approach for assigning PCI DSS requirments.
VISA: Visa uses Levels 1 to 4 for classifying merchant levels. Learn more about VISA Merchant requirments
American Express, JCB, MasterCard: These major payment brand heavyweights also have identify merchants from Levels 1 to 4, and again, this is based on transaction volume. Learn more about their PCI DSS merchant levels.