Who makes the decision about a merchant's level?

The decision about a merchant's level is primarily made by the merchant's acquirer, which is the financial institution or bank that processes credit card transactions on behalf of the merchant. The acquirer evaluates the volume and nature of transactions processed by the merchant, which directly influences the risk level associated with their operations.

Based on this assessment, the acquirer classifies the merchant into one of the levels set by the Payment Card Industry Data Security Standard (PCI DSS). These levels are determined by the number of transactions processed annually and other factors, such as transaction types and risk factors associated with the merchant.

While payment processors and payment brands play vital roles in the transaction process, they do not determine the merchant's level. The cardholder, being the end-user of services or products, is also not involved in this decision-making process. Thus, the acquirer's role is crucial as they balance risk management and compliance with PCI DSS requirements, leading to a well-informed classification of the merchant's level.