Guide to PCI Compliance Levels & Merchant Types

Posted 1.19.12 by
wpadmin
Blog

Here’s your guide to the four different levels of PCI compliance as mandated by the major payment card brands.

Do you know what level of PCI (Payment Card Industry) compliance your company falls under? Or even what merchant type best categorizes your payment process?

Here’s your guide to the four different levels of PCI compliance as mandated by the major payment card brands, Visa and Mastercard, as well as action items for each:

Level 1

Over 6 million Visa and/or Mastercard transactions processed per year. Requires yearly on-site reviews by an internal auditor, and a network scan by an approved scanning vendor (ASV).

Level 2

1 million to 6 million Visa and/or Mastercard transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Level 3

20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Level 4

Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Now, how do you know which SAQ (Self-Asssessment Questionnaire) to fill out? Find which merchant type best fits your company profile:

A

E-commerce, mail or telephone order merchants that do not store cardholder data (CD). All cardholder data functions are outsourced. This does not include face-to-face merchants.

B

Merchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants.

C-VT

Web-based virtual terminal merchants that do not store electronic cardholder data.

C

Merchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance.

D

This includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete a SAQ and approved by a payment brand.

You’ve narrowed down what level and type of merchant you are, so now what? Read up about the 12 requirements to meet PCI Compliance with What is PCI Compliance? or watch a webinar on the detailed requirements of PCI compliance.

References:
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Levels of PCI Compliance

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.