The requirements for becoming Payment Card Industry (PCI) Compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.

Merchant Levels

• Level 1
  • Criteria
    • Merchants with over 6 million transactions a year
    • Merchants whose data has been compromised
  • Requirements
    • Annual Onsite Security Audit and quarterly network security scan
• Level 2
  • Criteria
    • Merchants with 150,000 to 6 million transactions a year
  • Requirements
    • Annual Self Assessment Questionnaire
    • Quarterly Scan by an Approved PCI Scanning Vendor
• Level 3
  • Criteria
    • Merchants with 20,000 to 150,000 transactions a year
  • Requirements
    • Quarterly Scan by an Approved PCI Scanning Vendor
    • Annual Self Assessment Questionnaire
• Level 4
  • Criteria
    • Merchants with less than 20,000 transactions a year
  • Requirements
    • No need to report compliance but must maintain compliance.

 

Level 1 Merchants

The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance.

Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Confirmation of Report Accuracy form completed by their assessor to their acquirers.

Acquirers must submit the Confirmation of Report Accuracy form and a letter accepting the merchant’s full compliance validation to Visa upon receipt and acceptance of the merchant’s validation documentation.

Download the PCI Security Audit Procedures - PDF

Download the merchant Confirmation of Report Accuracy - DOC

 

Level 2/Level3 Merchants

The Annual PCI Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by their acquirer.

Download the PCI Self-Assessment Questionnaire

 

Level 1/Level 2/Level 3 Merchants

The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses.

Download the PCI Security Scanning Procedures

Related Articles

• PCI Compliance - An Overview
• How do I become PCI Compliant?
• What are the requirements for PCI Compliance?
• What are the different PCI Compliant Merchant Levels?

Also See:
PCI Compliance - An Overview
The Basics of Server Security
What is SSL?
How do I become PCI Compliant?
What is Windows Hosting?

There are no comments yet...Kick things off by filling out the form below.