Key Takeaways
Volume Determines Validation: The four PCI DSS merchant levels are determined by the annual volume of payment card transactions processed. Higher transaction volumes correspond to stricter compliance requirements and more rigorous validation procedures.
Level 1 Requires On-Site Validation: Merchants processing over 6 million annual transactions (Level 1) face the highest compliance burden, requiring an annual on-site security validation performed by a qualified third-party firm, resulting in a Report on Compliance (ROC).
SAQs and Quarterly Scans: Merchants in Levels 2, 3, and 4 generally validate their compliance annually by completing a Self-Assessment Questionnaire (SAQ). Crucially, all merchants must perform mandatory quarterly network scans by an Approved Scanning Vendor (ASV).
Understanding PCI DSS Requirements
The PCI DSS (Payment Card Industry Data Security Standard) outlines requirements to help companies avoid payment data breaches or credit card fraud, and is the result of collaboration between major security card brands. These requirements ensure that card payments receive proper protections.
In many cases, service providers may not know that they need to be PCI compliant until clients start asking for assurance. One unique aspect of PCI compliance for service providers is registering for the Visa Global Registry of Service Providers or MasterCard SDP Compliant Registered Service Provider List. These lists are maintained by Visa and MasterCard for use by prospective customers to find service providers that Visa and MasterCard deem as PCI compliant.
Speak to a Compliance Specialist.
Understanding PCI DSS Merchant Levels:
The process for being listed is straight forward but can be particularly daunting for organizations that are not directly dealing with cardholder data and therefore do not have a relationship with an acquiring bank.
Click below to read about PCI DSS Merchant Levels for each major card brand:
Your PCI Partner
Auditwerx can provide the guidance and assistance necessary to get a service provider easily through the Visa and MasterCard service provider registration process as well as keeping them listed.
Merchant levels may change, but Auditwerx QSAs understand what it takes to get through merchant assessments quickly and easily. Contact a PCI specialist today!
FAQs
What are the four levels of PCI DSS merchant compliance?
The four levels, based on annual transaction volume, are: Level 1 (over 6 million transactions), Level 2 (1 million to 6 million transactions), Level 3 (20,000 to 1 million e-commerce transactions), and Level 4 (under 20,000 e-commerce transactions or up to 1 million total transactions).
What is the compliance requirement for PCI DSS Level 1 merchants?
Level 1 merchants must obtain an annual Report on Compliance (ROC) from a qualified third-party firm that performs an on-site security validation. They also must complete quarterly network scans by an Approved Scanning Vendor (ASV).
How do merchants in PCI DSS Levels 2, 3, and 4 typically validate their compliance?
Merchants in these lower levels generally validate their compliance annually by completing the appropriate Self-Assessment Questionnaire (SAQ) and ensuring they perform mandatory quarterly network scans by an ASV.
Why is a merchant's transaction volume the key factor in determining their PCI DSS level?
The volume of transactions dictates the level of risk and exposure to cardholder data. Higher volumes require more rigorous compliance requirements, ensuring that businesses with greater risk exposure implement the strictest security controls and external validation procedures.
About the Author
