Merchants 5 Step Guide
To PCI Compliance
|
ISO / Acquirers 5 Step Guide
To PCI Compliance
|
|
PCI DSS: Visa and MasterCard Quick Reference Guide
Merchant, Service Provider and Compliance Level 1
Merchant Qualification Criteria for Visa and MasterCard:
- Retail and eCommerce Merchants with greater than 6 million Visa and MasterCard transactions annually.
- Merchants that have suffered a hack or an attack that resulted in an account data compromise.
- Merchants that Visa and MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the Visa system, or merchants identified by any other payment card brand as Level 1.
Service Provider Qualification Criteria:
- Visa-All VisaNet processors (member and Nonmember) and all payment gateways--agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction.
- MasterCard-All TPPs and DSE's that store account data on behalf of Level 1 or Level 2 merchants.
Validation Requirement:
- Visa-- Annual onsite review by a QSA or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an ASV.
- MasterCard-Annual onsite review by merchant's internal auditor or a Qualified Security Assessor (QSA), and a quarterly network security scan with an Approved Scanning Vendor (ASV).
Deadline: September 30, 2007
Merchant, Service Provider and Compliance Level 2
Merchant Qualification Criteria:
- E-Commerce merchants with 150,000 to 6 million Visa or MasterCard transactions annually.
- All merchants meeting the Level 2 criteria of a competing payment brand.
Service Provider Qualification Criteria:
- Visa--Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.
- MasterCard--Includes all those DSEs that store account data on behalf of level 3 merchants.
Validation Requirement:
- Visa-Annual onsite review by QSA and quarterly network security scan with an approved ASV.
- MasterCard-- Annual onsite review by QSA and quarterly network security scan with an approved ASV.
Deadline: December 31, 2007
Merchant and Service Provider Compliance Level 3
Merchant Qualification Criteria:
- Visa-Merchants with annual e-commerce transactions greater than 20,000 but less than one million total transactions.
- MasterCard-Merchants with annual e-commerce transactions greater than 20,000 but less than one million total transactions, and all merchants meeting the Level 3 criteria of a competing payment brand.
Service Provider Qualification Criteria:
- Visa- Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.
- MasterCard-All other DSEs not included in Levels 1 and 2.
Validation Requirement:
- Visa-Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV.
- MasterCard-Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV.
Deadline: Contact acquirer or card brand representative.
Merchant and Service Provider Compliance Level 4
Merchant Qualification Criteria:
- Visa-Merchants processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants regardless of acceptance channel processing up to 1,000,000 Visa transactions per year. Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
Acquirer submits summary of PCI compliance plan to Visa by July 30, 2007. If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements. (See Level 4 Merchant Compliance for more information).
- MasterCard-Any other merchant not covered in Level 1, Level 2 and Level 3 compliance qualifications.
" Validation Requirement:
- Visa--Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV. Complete a
- MasterCard-Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV.
Deadline: Summary of PCI compliance plan, via acquirer, by July 30, 2007.
Suggested Links:
 Print this page
 Send this page to a friend
|
Step 1: An Introduction to PCI Compliance
Step 2: Finding The PCI DSS Merchant, Service and Compliance Level
Step 3: Attaining PCI DSS Compliance-Merchant
Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)
Step 5: Completing the PCI DSS Self Questionnaire
|
Sponsored Listing:
|
| |
|
|
