Who defines merchants and service provider levels?

The correct answer is defined by payment brands because they are responsible for establishing the categorization and requirements for merchants and service providers based on transaction volume and characteristics. Payment brands, such as Visa and Mastercard, set the standards that dictate how merchants and service providers are classified into different levels, which can influence the level of security compliance required from them. This classification affects the protocols that businesses must implement to protect cardholder data and ensure compliance with industry security standards, particularly with regard to payment card processing.

The roles of service providers, regulatory bodies, and merchant associations differ in their focus. While service providers offer technical solutions and support, they do not have the authority to create the definitions or requirements for merchant levels. Regulatory bodies may influence payment processing regulations but do not directly define the merchant and service provider levels. Merchant associations can support merchants with resources and advocacy but do not set the standards for classifications themselves. Therefore, the predominant authority on defining these levels lies with the payment brands.