01-19-12 | Blog Post

Guide to PCI Compliance Levels & Merchant Types

Blog Posts

Do you know what level of PCI (Payment Card Industry) compliance your company falls under? Or even what merchant type best categorizes your payment process?

Here’s your guide to the four different levels of PCI compliance as mandated by the major payment card brands, Visa and Mastercard, as well as action items for each:

Level 1

Over 6 million Visa and/or Mastercard transactions processed per year. Requires yearly on-site reviews by an internal auditor, and a network scan by an approved scanning vendor (ASV).

Level 2

1 million to 6 million Visa and/or Mastercard transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Level 3

20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Level 4

Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Now, how do you know which SAQ (Self-Asssessment Questionnaire) to fill out? Find which merchant type best fits your company profile:

A

E-commerce, mail or telephone order merchants that do not store cardholder data (CD). All cardholder data functions are outsourced. This does not include face-to-face merchants.

B

Merchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants.

C-VT

Web-based virtual terminal merchants that do not store electronic cardholder data.

C

Merchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance.

D

This includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete a SAQ and approved by a payment brand.

You’ve narrowed down what level and type of merchant you are, so now what? Read up about the 12 requirements to meet PCI Compliance with What is PCI Compliance? or watch a webinar on the detailed requirements of PCI compliance.

References:
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Levels of PCI Compliance

Do you know what level of PCI (Payment Card Industry) compliance your company falls under? Or even what merchant type best categorizes your payment process?

Here’s your guide to the four different levels of PCI compliance as mandated by the major payment card brands, Visa and Mastercard, as well as action items for each:

Level 1

Over 6 million Visa and/or Mastercard transactions processed per year. Requires yearly on-site reviews by an internal auditor, and a network scan by an approved scanning vendor (ASV).

Level 2

1 million to 6 million Visa and/or Mastercard transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Level 3

20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Level 4

Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor.

Now, how do you know which SAQ (Self-Asssessment Questionnaire) to fill out? Find which merchant type best fits your company profile:

A

E-commerce, mail or telephone order merchants that do not store cardholder data (CD). All cardholder data functions are outsourced. This does not include face-to-face merchants.

B

Merchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants.

C-VT

Web-based virtual terminal merchants that do not store electronic cardholder data.

C

Merchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance.

D

This includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete a SAQ and approved by a payment brand.

You’ve narrowed down what level and type of merchant you are, so now what? Read up about the 12 requirements to meet PCI Compliance with What is PCI Compliance? or watch a webinar on the detailed requirements of PCI compliance.

References:
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Levels of PCI Compliance

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved