Understanding PCI Levels and Types


Any merchant who accepts credit cards and has a merchant account must validate compliance. It does not matter if you use a 3rd party processor or if you outsource all of your credit card processing. It’s the ownership of the merchant account that defines if you must validate compliance. The only to avoid PCI compliance is by not having a merchant account. Below are some charts which will help you decide which category and merchant type your business fits into.

Merchant levels and Compliance Validation Requirements

PCI Merchant Levels
Level Description Validation Requirements
1
  • Any merchant, “regardless of acceptance channel, processing over 6,000,000 Visa transactions per year
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
  • Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Any merchant identified by any other payment card brand as Level 1
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2
  • Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3
  • Any merchant processing 20,000 to 1,000,000 transactions per year.
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4
  • Any merchant processing fewer than 20,000 transactions per year.
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by acquirer

Merchant Types

The “SAQ” is a self-validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.

Self-Assessment Questionnaires and Validation Types
SAQ ValidationType Description SAQ
1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data
functions outsourced. This would never apply to face-to-face merchants.
A
2 Imprint-only merchants with no cardholder data storage. B
3 Standalone dial-up terminal merchants, no cardholder data storage. B
4 Merchants with payment application systems connected to the Internet, no
cardholder data storage.
C
5 All other merchants (not included in descriptions for SAQs A, B or C above), and
all service providers defined by a card brand as eligible to complete a SAQ.
D

Service Provider Levels

Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. Service provider levels are defined as:

Self-Assessment Questionnaires and Validation Types
Service Provider Level Description Validation Requirements
1 Processors or any service providers that stores, processes and/or transmits over 300,000 transactions per year.
  • Annual On-Site PCI Data Security Assessment validated Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year.
  • Validated by Service Provider
  • Quarterly network scan by Approved Scan Vendor (“ASV”)

By using the charts above, you should be able to easily determine your level and validation type. Knowing this details will go a long way in guiding you through your compliance but it is important to partner with other qualified businesses for your service. ZZ Servers provides PCI focused hosted infrastructure designed for PCI compliance and includes many of controls and measures required for your business infrastructure to be fully compliant.