Regulatory Compliance, Governance and Security

Jun 26 2009   3:08PM GMT

PCI DSS Requirements and PCI DSS Merchant Levels | VISA

Charles Denyer Charles Denyer Profile: Charles Denyer

PCI DSS Requirements for Merchants is dependent on the “Level” your organization falls into. Currently, there are four (4) Merchant Levels for PCI DSS compliance. What’s important to note is that these merchant levels are based on transaction volume of cardholder data. But also keep in mind that many merchants who do not meet the more stringent Level 1 requirements because of lower transaction volumes may still have to become Level 1 compliant based on customer demands, marketing efforts for their company, or possible regulatory requirements (i.e, you’ve been notified by your acquirer that you need to be level 1 compliant).

Thus, here are the VISA Merchant Levels:

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 1 Requirements:
* Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
* Quarterly network scan by Approved Scan Vendor (“ASV”)
* Attestation of Compliance Form

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 2 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 3 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Level 4 Requirements:
* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer

To learn more about PCI DSS compliance and merchant level requirements for other payment brands (MasterCard, American Express, Discover Card, and JCB), visit pciassessment.org

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: