855.519.7328

PCI DSS Merchant LevelsPCI DSS Compliance Merchant Levels & Requirements

Merchants and Service Providers each have guidelines for PCI DSS compliance.  The information provided below represents the specific requirements from all the major payment brands; Visa, MasterCard, American Express, Discover, and JCB International concerning merchant transaction volumes, identifying what levels a merchant is for purposes of compliance, along with validation requirements for each merchant, based on transaction volume.

 

 

PCI DSS, Visa, Master Card Validation Requirements

Validation is the process of testing/assessment by a qualified individual designated to substantiate compliance with the PCI DSS.  All merchants will fall into one of the four merchant levels based on Visa or MasterCard levels assigned.  Merchant banks must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants.  The validation documentation shows proof of meeting the validation requirements and needs to be provided to the card brands (Visa, MasterCard) if requested.

Any entity, including merchants, that stores, processes or transmits cardholder data must be PCI DSS compliant. In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.  Annual Reports on Compliance (ROC) must be performed by a Payment Card Industry Qualified Security Assessor or Internal Auditor if signed by officer of the company. Quarterly network scan have to be performed by an Approved Scan Vendor (“ASV”) to include an attestation of compliance documenting a passing scan.

The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance.  Merchant banks may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

Visa Merchant Level & Validation Requirements Defined:

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (“DBA”). In cases where a merchant corporation has more than one DBA, members must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, members will continue to consider the DBA’s individual transaction volume to determine the validation level.

Level 1:

  • Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.  Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. (2)

Validation Requirements:

  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
    • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form

Level 2:

  • Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Validation Requirements:

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 3:

  • Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Validation Requirements:

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 4:

  • Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Validation Requirements:

  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank

MasterCard Merchant Level & Validation Requirements Defined:

All merchants that store, process, or transmit cardholder data must be PCI compliant. Each merchant that is categorized as a Level 1, Level 2 or Level 3 merchant is required to report its compliance status directly to its acquiring bank. Determining merchant level often raises questions for many companies. To accurately determine merchant levels, MasterCard recommends merchants first contacting their acquiring bank. With assistance from their acquiring bank, merchants can then complete the following steps:

  • Determine merchant level using MasterCard transaction volume from the most recent 52-week period
  • Confirm necessary PCI validation requirements (Onsite or Self-Assessments, Self-Assessment Questionnaire, External Vulnerability Scan)
  • Engage an approved vendor, as appropriate, and follow the validation procedures

Once a merchant had been verified as compliant, the merchant must submit the validation requirements to its acquiring bank, which then will report the merchant’s compliance status to MasterCard.

Level 1:  

  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant having more than six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system

Validation Requirements:

  • Annual Onsite Assessment (1)
  • Quarterly Network Scan conducted by an ASV (2)

Level 2:

  • Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa

Validation Requirements:

  • Annual Self-Assessment (4)
  • Onsite Assessment at Merchant Discretion (4)
  • Quarterly Network Scan conducted by an ASV (2)

Level 3:

  • Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa

Validation Requirements:

  • Annual Self-Assessment
  • Quarterly Network Scan conducted by an ASV (2)

Level 4:

  • All other merchants (5)

Validation Requirements:

  • Annual Self-Assessment
  • Quarterly Network Scan conducted by an ASV (2)

Visa Notes:

1 – Compromised entities may be escalated at regional discretion2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

MasterCard Notes:

  1. Effective 30 June 2012, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.
  2. Quarterly network scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).
  3. Initial compliance date of June, 2005 for Level 1 merchants has now passed. The 30 June 2012 deadline is for PCI SSC ISA training and certification only and is for those merchants that choose to conduct an annual onsite assessment using an internal auditor.
  4. Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire.
  5. Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required.