SAQ archives - Regulatory Compliance, Governance and Security
Home > IT Blogs > Regulatory Compliance, Governance and Security >

Regulatory Compliance, Governance and Security:

SAQ

Jul 27 2009   11:49AM GMT

PCI DSS Service Provider Levels for VISA | Level 1 to Level 3



Posted by: Charles Denyer
PCI DSS service provider levels, visa, Annual onsite review by QSA, qsa, qualified security assessor, SAQ, VisaNet

PCI DSS Service Providers Levels for VISA are defined as the following:

Level 1: All VisaNet processors (member and non-member) and all payment gateways.

Level 2: Service Providers (agents) not in Level 1 that store, process, or transmit > 1 million accounts/transactions annually.

Level 3: Service Providers (agents) not in Level 1 that store, process, or transmit < 1 million accounts/transactions annually.

Additionally, these various “levels” have predefined requirements for PCI DSS compliance, which essentially call for the following:

* Annual onsite review by QSA
* Quarterly network scan by ASV
* Annual Self-Assessment Questionnaire
(Canada: SAQ required and must be reviewed by QSA)

In short, you will need to retain a Qualified Security Assessor (QSA) to help with PCI DSS compliance. A QSA will assist in guiding your organization through an actual on-site assessment.

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend

Jun 26 2009   3:08PM GMT

PCI DSS Requirements and PCI DSS Merchant Levels | VISA



Posted by: Charles Denyer
PCI DSS Requirements and PCI DSS Merchant Levels | VISA, annual report on compliance, ROC, annual self assessment questionnaire, SAQ, Quarterly network scan by approved Scan Vendor, asv, Attestaion of compliance form, Merchant Levels 1, 2, 3, 4, charles denyer

PCI DSS Requirements for Merchants is dependent on the “Level” your organization falls into. Currently, there are four (4) Merchant Levels for PCI DSS compliance. What’s important to note is that these merchant levels are based on transaction volume of cardholder data. But also keep in mind that many merchants who do not meet the more stringent Level 1 requirements because of lower transaction volumes may still have to become Level 1 compliant based on customer demands, marketing efforts for their company, or possible regulatory requirements (i.e, you’ve been notified by your acquirer that you need to be level 1 compliant).

Thus, here are the VISA Merchant Levels:

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 1 Requirements:
* Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
* Quarterly network scan by Approved Scan Vendor (“ASV”)
* Attestation of Compliance Form

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 2 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 3 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Level 4 Requirements:
* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer

To learn more about PCI DSS compliance and merchant level requirements for other payment brands (MasterCard, American Express, Discover Card, and JCB), visit pciassessment.org

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend