Step 1 Determine Your Level
Merchant Level | Criteria | Onsite Security Assessment | Self-Assessment Questionnaire (SAQ) | Network Vulnerability Scan |
---|---|---|---|---|
Level 1 | At least 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover | Required Annually | Not Applicable | Required Quarterly |
Level 2 | 1 million to 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover | At Merchant Discretion* | Required Annually* | Required Quarterly |
Level 3 | 20K to 1 million ecommerce transactions annually from any acceptance channel for Visa, MasterCard or Discover | Not Applicable | Required Annually | Required Quarterly |
Level 4 | Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel for Visa, MasterCard or Discover | Not Applicable | Required Annually | Required Quarterly |
* Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
Service Provider Level | Criteria | Onsite Security Assessment | Self-Assessment Questionnaire | Network Vulnerability Scan |
---|---|---|---|---|
Level 1 | More than 300,000 transactions annually for Visa or MC | Required Annually | Not Applicable | Required Quarterly |
Level 2 | 300,000 or less transactions annually for Visa or MC | Not Applicable | Required Annually (SAQ – D) | Required Quarterly |
Step 2 Identify your validation type, determine which Self-Assessment Questionnaire is appropriate for your business, and complete the SAQ
SAQ Validation Type | Description | SAQ |
---|---|---|
Type 1 | Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. | A |
Type 2 | Imprint-only merchants with no cardholder data storage | B |
Type 3 | Stand-alone dial-up terminal merchants, no cardholder data storage | B |
Type 4 | Merchant with payment application systems connected to the internet, no cardholder data storage. | C |
Type 5 | All other merchants (not included in descriptions for SAQs A – C above) and all service providers defined by payment brand as eligible to complete an SAQ. | D |
Step 3 Complete and obtain evidence of passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
It is required for Validation Type 4 and 5—those merchants with external facing IP addresses.
Please contact our PCI Compliance department at 1-877-267-4324 (option 8) for assistance in obtaining a passing vulnerability scan or for general inquires.
Leave A Comment