Summary
- A merchant is any business that accepts payment cards for goods or services.
- Under PCI DSS, merchants are responsible for protecting cardholder data.
- Merchants are categorized into levels based on transaction volume.
- Each merchant must validate PCI compliance annually—often via SAQs or audits.
- Third-party tools, client-side scripts, and checkout flows all impact merchant scope.
What Is a Merchant in the Context of PCI DSS?
A merchant is any entity that accepts credit or debit card payments for goods or services. This includes online retailers, brick-and-mortar stores, subscription platforms, healthcare providers, SaaS companies, and nonprofits that accept donations by card.
The PCI Security Standards Council (PCI SSC) defines a merchant as an entity that “stores, processes, or transmits cardholder data on behalf of the customer.”
Whether you run a physical point-of-sale system or an eCommerce storefront, you’re considered a merchant—and are therefore subject to PCI DSS (Payment Card Industry Data Security Standard) requirements.
What Are the Merchant Levels?
Merchants are grouped into four levels, based on annual Visa or Mastercard transaction volume:
| Merchant Level | Annual Transactions | Validation Requirement |
| Level 1 | Over 6 million | Annual ROC + quarterly scan |
| Level 2 | 1–6 million | SAQ + scan (or ROC) |
| Level 3 | 20,000–1 million (eCommerce) | SAQ + scan |
| Level 4 | Fewer than 20,000 (eCommerce) or <1M (other) | SAQ may suffice |
Each level determines how much evidence the merchant must provide to validate compliance—ranging from Self-Assessment Questionnaires (SAQs) to third-party Reports on Compliance (ROCs) from a Qualified Security Assessor (QSA).
Most small businesses and SaaS startups fall under Levels 3 or 4—but must still meet all relevant PCI controls.
Why Does the Merchant Definition Matter for Compliance?
Being classified as a merchant means you’re responsible for:
- Securing your payment infrastructure, including POS systems, APIs, and checkout flows
- Managing any third-party vendors that process cardholder data
- Completing annual PCI DSS validation, even if you never store card data
- Monitoring and securing any part of your environment that handles or routes cardholder data
Many merchants wrongly assume that outsourcing payments to platforms like Stripe, PayPal, or Square removes their PCI obligations. In reality, the moment your site touches cardholder input, you share responsibility.
PCI DSS Requirement 12.8 requires merchants to monitor third-party service providers with access to card data.
What Systems Put a Merchant In Scope?
Your PCI DSS obligations as a merchant depend on how you collect and route card data. You’re in scope if you:
- Host a checkout form or embed a payment iframe
- Use JavaScript that could access or modify card input fields
- Serve third-party scripts (e.g., tag managers, chat widgets) on payment pages
- Log or store full or partial card numbers, even temporarily
- Transmit cardholder data through your infrastructure
New PCI DSS 4.0 requirements—like Requirement 6.4.3 (script inventory) and 11.6.1 (script change detection)—are especially relevant for merchants with browser-based checkout flows.
FAQ
Do I still need PCI compliance if I use Stripe or Square?
Yes. While they reduce your risk, you’re still responsible for securing any part of your site or app that collects, routes, or displays card data—even if only momentarily.
What is the easiest way for a small merchant to validate compliance?
For most Level 4 merchants, a properly scoped SAQ A or SAQ A-EP combined with a vulnerability scan may be sufficient. Use a PCI-approved QSA or ASV to guide this.
How do I know what level of merchant I am?
Check your annual Visa/Mastercard volume or contact your acquiring bank or payment processor—they typically inform you of your merchant level each year.
Conclusion
If you accept payment cards, you’re a merchant—and PCI DSS applies to you. Your compliance scope depends on how you process payments, which systems are involved, and how third parties interact with your environment.
Merchants must:
- Identify cardholder data flows
- Validate compliance annually via SAQ or audit
- Monitor third-party scripts and client-side risk
- Secure browser and server-side checkout infrastructure
Ignoring PCI obligations as a merchant can result in fines, reputational damage, and breach liability. Getting it right starts with understanding your role—and your risk.
