The PCI DSS program will involve merchants of all business models. The PCI DSS is mandatory for level 1, 2, and 3 merchants. Level 4 a, b, are optional unless your Acquiring Institution has made it a mandatory requirement for processing credit card transactions.

Merchant levels defined

As of July 18, 2006, merchant level definitions have changed. Acquirers are responsible for determining the compliance validation levels of their merchants. Acquirers are also responsible for identifying the new compliance validation levels of their merchants according to the updated level definitions as of July 18, 2006.

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, members must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, members will continue to consider the DBA's individual transaction volume to determine the validation level. Merchant levels are defined as:

Back to top

Compliance validation basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Back to top

Validation procedures and documentation

Acquirers must obtain the required compliance validation requirements from their merchants. Documentation must be available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands that may require proof of compliance validation.

Compliance validation takes place at the merchant's expense, as follows:

• The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance.

Level 1 merchants should engage a Visa-approved, Qualified Data Security Company to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, provided that a letter signed by a merchant officer accompanies the report.

Download the PCI Security Audit Procedures (DOC, 627k).

• The Annual PCI Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by their acquirer.

Download the PCI Self-Assessment Questionnaire (DOC, 293k).

• The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by a qualified independent scan vendor. The Quarterly Network Security Scan may be required of level 4 merchants as specified by their acquirer.

Download the PCI Security Scanning Procedures (PDF, 105k).

PCI DSS Benefits ->