PCI Compliance Levels

PCI Compliance Level 1

Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any reason.

Validation Requirements: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company. (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form

PCI Compliance Level 2

Merchants processing between 1 million to 6 million Visa transactions annually (all channels)

Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.

PCI Compliance Level 3

Merchants processing between 20,000 to 1 million Visa e-commerce transactions annually

Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.

PCI Compliance Level 4

Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.

Merchants processing less than 20,000 to 1 million Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.

Storefront merchants categorized as PCI compliance levels 2,3, and 4 must complete an annual self-assessment questionnaire (PCI SAQ) in addition to a required quarterly network scan performed by an approved scanning vendor. The nature of the questionnaires, as well as the deadlines for reaching PCI compliance, varies slightly depending on whether the merchant falls into PCI Compliance level 2, 3, or 4, but the basic requirements remain the same.

Internet-based merchants are also divided into PCI compliance levels 1- 4, with each PCI compliance level defined by the same transaction volumes as those for “brick and mortar” merchants. In addition, internet-based merchants at each PCI Compliance level must undergo a quarterly vulnerability scan performed by an approved scanning vendor. Though some PCI Compliance Level 1 internet-based merchants may be able to perform annual self-assessments (with the permission of their processor and card brand), the vast majority of internet-based merchants will be held to these PCI Compliance expectations.