Jul 24 2009 8:12PM GMT
Posted by: Charles Denyer
pci merchant level requirements,
visa,
american express,
mastercard,
Discover Card,
jcb,
charles denyer,
level 1,
level 2,
level 3,
level 4
PCI Merchant Level Requirements for VISA are stated as the following:
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Also, any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
The other payment brands (MasterCard, American Express, Discover Card, and JCB) also have their own requirements for merchants.
Jul 17 2009 12:45PM GMT
Posted by: Charles Denyer
qsa,
pci dss qsa,
mastercard,
sdp program,
merchants level 2,
service providers,
reciprocity,
charles denyer,
pci dss self assessments,
Matercard site data protection program,
qualified security assessor
MasterCard has recently announced changes to their Site Data Protection program, which now requires BOTH Level 1 and Level 2 Merchants to retain a Qualified Security Assessor (QSA) to validate compliance in regards to PCI DSS.
This is truly a monumental shake up in the industry, as many Level 2 merchants that could “self-assess” in the past now have to engage with a QSA to perform an annual on-site assessment. As a QSA myself, i cannot give hard and fast number as to how many merchants this will affect, but i can tell you that it will be a high number indeed. Level 2 Merchants have quite honestly never been exposed to the time, expenses, and arduous undertakings of an annual on-site PCI DSS assessment. What’s more, these costs will without question create significant financial constraints for Level 2 merchants.
Finally, MasterCard has designated that all Merchants identified as Level 2 merchants by other brands will also be classified as Level 2 for MasterCard. Call it reciprocity, simple and to the point.
MasterCard has also redefined the Service Provider thresholds and their respective levels to align with Visa.
My advice, find yourself a good, competent, knowledgeable Qualified Security Assessor.
Jun 16 2009 11:40AM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
payment card industry data security standards (PCI DSS),
service providers payment card compliance,
visa,
amex,
mastercard,
Discover Card,
jcb,
pci qsa,
qualified security assessor,
pci dss compliance,
transaction processors,
payment gateways,
web hosting providers,
data centers,
managed service providers,
ISO
PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.
In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.
So, here are some common examples of service providers:
Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)
And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.
AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.
And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.
Apr 30 2009 2:51PM GMT
Posted by: Charles Denyer
pci dss requirements,
pci qsa,
charles denyer,
visa,
mastercard,
american express,
amex,
Discover Card,
jcb,
level 1,
level 2,
level 3,
level 4,
processing over 6,
000,
processing 1,
000 to 6,
20,
000 to 1,
fewer than 20,
quarterly network scan asv,
annual self assessment
PCI DSS VISA Requirements for Merchants as stated by VISA require merchants to first and foremost identify what “Level” of compliance is required. This simply requires your organization to identify the number of transactions per year that are undertaken. In short, calculate or approximate this number to see which level you fall into.
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year and Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Now, based on which Level you fall into, listed below are the requirements as set forth by VISA.
Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV
Level 2: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 3: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 4: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
To learn more about PCI DSS Requirements, visit pciassessment.org
Apr 20 2009 1:03PM GMT
Posted by: Charles Denyer
Payment Card Industry Data Security Standard,
charles denyer,
PCI DSS,
visa,
mastercard,
american express,
amex,
discover,
jcb,
service providers,
merchants,
pci ssc,
pci dss self assessment
The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).
Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.
Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.
Apr 12 2009 12:36PM GMT
Posted by: Charles Denyer
pci merchant levels,
charles denyer,
american express,
Discover Card,
visa,
mastercard,
jcb,
level 1,
PCI DSS assessment,
qsa,
quarterly network scan
PCI merchant levels have been clearly defined by all the major payment brands (VISA, MasterCard, American Express, Discover Card, and JCB). What’s important to note is that you should also look at each of the payment brand’s respective Levels for truly understanding where you fall.
Thus, PCI merchant levels for American Express are defined as the following:
Level 1: Merchants processing over 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1.
Level 2: Merchants providing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems Level 2.
Level 3: Merchants processing less than 50,000 American Express transactions annually.
Thus, the requirements for these respective Levels as far as compliance is concerned are the following:
Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV.
Level 2: Quarterly Network Scan by ASV.
Level 3: Quarterly Network Scan by ASV.
To learn more about PCI Merchant Levels and the Payment Card Industry Data Security Standards (PCI DSS), visit pciassessment.org
Mar 26 2009 1:09AM GMT
Posted by: Charles Denyer
credit card security compliance,
payment card industry data security standards (PCI DSS),
qualified security assessor (QSA),
charles denyer,
pci dss self assessment,
visa,
mastercard,
american express,
Discover Card,
jcb
Credit card security compliance is more technically known as the Payment Card Industry Data Security Standards, simply known as PCI DSS. PCI DSS is a framework established and agreed upon by the major payment brands (Visa, MasterCard, American Express, Discover Card, and JCB). The oversight, training and assessment guidelines for PCI DSS is conducted by the Payment Card Industry Security Standards Council, known as the PCI SSC.
Payment card industry compliance is a very general and broad term, thus you need to fully understand what your compliance needs are and how to go about undertaking the requirements for meeting these very needs. Most organizations requiring PCI DSS compliance are either merchants or service providers, and they have to comply based on what level they fall into for PCI DSS.
Add to this is the ability to either conduct a PCI DSS self assessment or to undertake an actual on-site PCI DSS assessment by a qualified security assessor, known as PCI-QSA. Get the facts about compliance and start making inroads sooner rather than later for all your credit card security compliance needs (again, more technically known as PCI DSS 
Mar 23 2009 12:07PM GMT
Posted by: Charles Denyer
charles denyer,
jcb,
american express,
discover,
visa,
mastercard,
pci dss merchant levels,
qsa,
pci ssc,
self assessment questionnaire,
qualified security assessor (QSA)
Regarding PCI DSS merchant levels, it is paramount that these very merchants properly identify the level they fall under for compliance with PCI DSS. Most merchants will be able to undergo their own payment card industry data security standards (PCI DSS) self assessment questionnaire (SAQ). However, many will also be required to conduct and go through an annual on-site assessment by a Qualified Security Assessor (QSA).
Again, this all depends on the merchant levels and you have to understand that these PCI DSS merchant levels are different for each of the respective payment brands. So, let’s take a closer look at this.
Discover Card: They do not even use merchant level categories, rather, they use a risk based approach for assigning PCI DSS requirments.
VISA: Visa uses Levels 1 to 4 for classifying merchant levels. Learn more about VISA Merchant requirments
American Express, JCB, MasterCard: These major payment brand heavyweights also have identify merchants from Levels 1 to 4, and again, this is based on transaction volume. Learn more about their PCI DSS merchant levels.
