All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Most merchants which will find this website and the appropriate SAQ applicable will fall into Level 4 - the highlighted blue section.
* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
** A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels.
In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.
*The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants. As a level 4 merchant with no external IP addresses connected to a system that processes cardholder data, all that is required is the annual SAQ!