Step 1 Determine Your Level

Merchant Level Criteria Onsite Security Assessment Self-Assessment Questionnaire (SAQ) Network Vulnerability Scan
Level 1 At least 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover Required Annually Not Applicable Required Quarterly
Level 2 1 million to 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover At Merchant Discretion* Required Annually* Required Quarterly
Level 3 20K to 1 million ecommerce transactions annually from any acceptance channel for Visa, MasterCard or Discover Not Applicable Required Annually Required Quarterly
Level 4 Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel for Visa, MasterCard or Discover Not Applicable Required Annually Required Quarterly

* Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.

Service Provider Level Criteria Onsite Security Assessment Self-Assessment Questionnaire Network Vulnerability Scan
Level 1 More than 300,000 transactions annually for Visa or MC Required Annually Not Applicable Required Quarterly
Level 2 300,000 or less transactions annually for Visa or MC Not Applicable Required Annually (SAQ – D) Required Quarterly

Step 2 Identify your validation type, determine which Self-Assessment Questionnaire is appropriate for your business, and complete the SAQ

SAQ Validation Type Description SAQ
Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A
Type 2 Imprint-only merchants with no cardholder data storage B
Type 3 Stand-alone dial-up terminal merchants, no cardholder data storage B
Type 4 Merchant with payment application systems connected to the internet, no cardholder data storage. C
Type 5 All other merchants (not included in descriptions for SAQs A – C above) and all service providers defined by payment brand as eligible to complete an SAQ. D

Step 3 Complete and obtain evidence of passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).

It is required for Validation Type 4 and 5—those merchants with external facing IP addresses.

Please contact our PCI Compliance department at 1-877-267-4324 (option 8) for assistance in obtaining a passing vulnerability scan or for general inquires.