The requirements for becoming Payment Card Industry (PCI) Compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.

Merchant Levels

• Level 1
  • Criteria
    • Merchants with over 6 million transactions a year
    • Merchants whose data has been compromised
  • Requirements
    • Annual Onsite Security Audit and quarterly network security scan
• Level 2
  • Criteria
    • Merchants with 150,000 to 6 million transactions a year
  • Requirements
    • Annual Self Assessment Questionnaire
    • Quarterly Scan by an Approved PCI Scanning Vendor
• Level 3
  • Criteria
    • Merchants with 20,000 to 150,000 transactions a year
  • Requirements
    • Quarterly Scan by an Approved PCI Scanning Vendor
    • Annual Self Assessment Questionnaire
• Level 4
  • Criteria
    • Merchants with less than 20,000 transactions a year
  • Requirements
    • No need to report compliance but must maintain compliance.

 

Level 1 Merchants

The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance.

Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Confirmation of Report Accuracy form completed by their assessor to their acquirers.

Acquirers must submit the Confirmation of Report Accuracy form and a letter accepting the merchant’s full compliance validation to Visa upon receipt and acceptance of the merchant’s validation documentation.

Download the PCI Security Audit Procedures - PDF

Download the merchant Confirmation of Report Accuracy - DOC

 

Level 2/Level3 Merchants

The Annual PCI Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by their acquirer.

Download the PCI Self-Assessment Questionnaire

 

Level 1/Level 2/Level 3 Merchants

The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses.

Download the PCI Security Scanning Procedures

Related Articles

• PCI Compliance - An Overview
• How do I become PCI Compliant?
• What are the requirements for PCI Compliance?
• What are the different PCI Compliant Merchant Levels?

Also See:
What is SSL?
The Basics of Server Security
What is Windows Hosting?
What are the requirements for PCI Compliance?

There are no comments yet...Kick things off by filling out the form below.