PCI Levels & Requirements
How do I become compliant?
Step 1: Determine your Level
| Merchant Level | Criteria | Onsite Security Assessment | Self-Assessment Questionnaire | Network Vulnerability Scan |
|---|---|---|---|---|
| 1 | At least 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover | Required Annually | N/A | Required Quarterly |
| 2 | 1 million to 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover | At Merchant Discretion* | Required Annually* | Required Quarterly |
| 3 | 20k to 1 million ecommerce transactions annually from any acceptance channel for Visa, MasterCard or Discover | N/A | Required Annually | Required Quarterly |
| 4 | Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel for Visa, MasterCard or Discover | N/A | Required Annually | Required Quarterly |
| Service Provider Level | Criteria | Onsite Security Assessment | Self-Assessment Questionnaire | Network Vulnerability Scan |
|---|---|---|---|---|
| 1 | More than 300,000 transactions annually for Visa or MC | Required Annually | N/A | Required Quarterly |
| 2 | 300,000 or less transactions annually for Visa or MC | N/A | Required Annually (SAQ – D) | Required Quarterly |
*Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
Step 2: Identify your validation type, determine which Self Assessment Questionnaire is appropriate for your business, and complete the SAQ.
| SAQ | Description |
|---|---|
| A | Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
| B | Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. |
| C-VT | Merchants using only web-based virtual terminals, no electronic cardholder data storage. |
| C | Merchant with payment application systems connected to the internet, no cardholder data storage. |
| D | All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by payment brand as eligible to complete an SAQ. |
Step 3: Complete and obtain evidence of passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. You can find a Qualified Security Assessor and Approved Scanning Vendor (ASV) at https://www.pcisecuritystandards.org/
Practical Payments
Ten Approaches to Consider in Card-Not-Present Transactions
