Defining PCI Compliance Merchant Validation Levels
In order to be PCI DSS compliant, each card issuer has its own criteria for assigning a merchant level and validation compliance classification level for a merchant, third party or service provider.
The merchant level is based on transaction volume for the organization. The validation compliance level is based on the merchant level, and includes the validation actions and who needs to carry out the validation actions, in order to be PCI DSS compliant.
For the majority of organizations, the standards set forth by Visa's CISP program and MasterCard's SDP program cover the qualifications for assigning both a merchant level and compliance level, along with incorporating PCI DSS.
American Express and Discover, at this time, do not have a stringent program in place like Visa or MasterCard, however both companies have a 'best practices' document, which coincides with the PCI DSS.
Currently, under PCI DSS 1.1, the emphasis of compliance is on the Level 1 and Level 2 merchants, service providers, vendors and payment applications.
The current Visa and MasterCard merchant levels and changes from PCI DSS 1.0 to PCI DSS 1.1 are as follows:
- Level 1-Visa U.S.A. and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach.
- Level 2-Visa and MasterCard transactions totaling 1 million to 6 million per year. (The new requirement expands the number of Level 2 merchants to include former Level 4 merchants.)
- Level 3-Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year. (The new requirement expands Level 3 to include former Level 2 merchants who process fewer than 1 million e-commerce transactions per year.)
- Level 4-Visa and MasterCard e-commerce transactions totaling up to 20,000 per year. (The new requirement decreases the number of Level 4 merchants.), and all other merchants, regardless of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year.
The current Visa and MasterCard validation requirements are as follows:
- Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV).
- Level 2-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
- Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
- Level 4-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. Submit summary of PCI compliance plan, via acquirer, by July 30, 2007. If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements. (See Level 4 Merchant Compliance for more information)
 Print this page
 Send this page to a friend
|
Step 1: An Introduction to PCI Compliance
Step 2: Finding The PCI DSS Merchant, Service and Compliance Level
Step 3: Attaining PCI DSS Compliance-Merchant
Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)
Step 5: Completing the PCI DSS Self Questionnaire
|
Sponsored Listing:
|
| |
|
