PCI DSS Levels

It is often seen that organizations do express themselves as being “Level 1 PCI Compliant”, which is commonly taken that for the merchants dealing with higher number of transaction per year are required to meet more tough standards than the merchants processing a few number of transactions per year. Just to make things clear, I will discuss the whole topic in detail and will tell apart between each level.

Let me summarize the whole point in few words before we go into detail there is no big difference in the actual standards. The number or volume of transactions carried out by the merchant, no matter how high or how low they are, don’t affect standards much and are nearly same for every type of merchant. With all that brief information stated, my “topic in detail” will not take that long after all.

The different merchant levels, about how the Compliance with standards should be reviewed.

· A Level 1 merchant’s Compliance needs to be assessed by an Independent Qualified Security Assessor (QSA) along with a report of annual on-site audit.

· If you are a Level 2 merchant then you are required to perform a yearly on-site audit by either a QSA or to complete a Self Assessment Questionnaire (SAQ).

· If you are a Level 3 or Level 4 merchant then your Compliance must be completed with a Self Assessment Questionnaire (SAQ).

Following are the PCI Compliance validation requirements for different level merchants:

For Level 1:

Criteria to be PCI Compliant:

· A merchant who has got his data stolen in the past which led him to compromise with account data.

· A merchant processing more than 6 million transactions of credit cards.

· A merchant fulfilling all the Level 1 requirements of card brand(s) to be PCI Compliant.

Actions to be taken:

Such type of merchant must go for a yearly Onsite Assessment. Get a quarterly network scan by an Approved Scanning Vendor (ASV).

For Level 2:

Criteria to be PCI Compliant:

· A merchant dealing with more than one million but below six million transactions a year.

· A merchant lying on level 2 criteria of card brand(s).

Actions to be taken:

Such type of merchant must complete a yearly Self Assessment Questionnaire. Get an Onsite Assessment and should get its network scanned quarterly by an Approved Scanning Vendor (ASV).

For Level 3:

Criteria to be PCI Compliant:

A merchant processing more than 20,000 e commerce transactions per year and carrying out combined card transactions of below or equal to 100,000 transactions annually.

Actions to be taken:

Such type of merchant is needed to complete an annual Self Assessment Questionnaire (SAQ) and must get its network scanned by an Approved Scanning Vendor (ASV) on a quarterly basis.

For Level 4:

Criteria to be PCI Compliant:

Any merchant falling below the above stated annual transactions comes in this level.

Actions to be taken:

Such type of merchant is required to conduct Quarterly scan of network by an Approved Scanning Vendor (ASV) and to fill a yearly Self Assessment Questionnaire (SAQ).

BuyerShield® ASV PCI Compliance brings peace of mind and security to your business and utilizes robust security analysis for thousands of know vulnerabilities, and more are added every day.