Payment card industry data security standards (PCI DSS) are a set of rules and regulations set forth to protect card using customers from data loss. These standards are maintained and promoted by the PCI Security Standards Council. This council is made up of representatives from major crediting agencies like Visa, MasterCard, and American Express. Whether your company processes 1 or 100,000 credit card transactions a year, you are responsible for making sure your company is PCI compliant and that your customers are protected against a breach of information.
There are four levels of merchants as defined by each individual credit card brand – which can make things complicated for merchants. The most common form of merchant level categorization is by volume of card transactions. Below is a list of current categorizations by card brand. The most common form of merchant level categorization is by volume of each brand of credit card transactions. If you happen to own a franchise location, there may be additional requirements for you to complete in order to be recognized as compliant through your franchisor.
Becoming compliant is time consuming and complicated. Let NuArx help you by providing your business with a time and cost-effective PCI compliance solution.
877-556-8279 / www.NuArxInc.com
| American Express | |||
| Level | Definition | Validation Required | Requirement |
| 1 | 2.5 Million or more American Express Transactions per year OR any merchant otherwise deemed Level 1 by American Express | Annual Onsite Assessment
Security Assessment Report Quarterly Network Scan |
Mandatory |
| 2 | 50,000 to 2.5 Million American Express transactions per year |
Annual Onsite Assessment Security Assessment Report Quarterly Network Scan |
Mandatory |
| 3 | Less than 50,000 American Express transactions per year | Annual Onsite Assessment
Security Assessment Report Quarterly Network Scan |
Strongly Recommended*
|
| EMV** | 50,000 American Express transactions per year of which 75% of those transactions are made by the card holder with the physical card present at the Point of Sale System which must be compliant with EMV specifications and capable of processing contact and contactless American Express Chip Cards | Annual EMV Attestation | Mandatory |
* Level 3 merchants and Level 3 Service Providers need not submit Validation Documentation, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy.
**EMV is only available for merchants and service providers who have not had a data incident within twelve (12) months prior to date of their Annual EMV Attestation
| Visa | |||
| Level | Definition | Validation Required | Requirement |
| 1 | 6 Million Visa transaction per year across all channels OR Global merchants identified as Level 1 by any Visa Region | Annually file a Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Auditor
Quarterly network Scan by an Approved Scan Vendor (ASV) |
Mandatory |
| 2 | 1 to 6 Million Visa transactions annually across all channels | Annual Self-Assessment Questionnaire (SAQ)
Annual Attestation of Compliance (AOC) Quarterly network scan by an Approved Scan Vendor (ASV) |
Mandatory |
| 3 | 20,000 to 1 Million Visa e-commerce transactions annually | Annual Self-Assessment Questionnaire (SAQ)
Annual Attestation of Compliance (AOC) Quarterly network scan by an Approved Scan Vendor (ASV) |
Mandatory
|
| 4 | Less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 Million Visa transactions annually | Annual EM Self-Assessment Questionnaire (SAQ)
Annual Attestation of Compliance (AOC) Quarterly network scan by an Approved Scan Vendor (ASV) Attestation |
Mandatory |
| MasterCard | |||
| Level | Definition | Validation Required | Requirement |
| 1 | Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant having more than 6 Million total combined MasterCard and Maestro transactions annually Any merchant meeting the Level 1 criteria of Visa Any merchant that MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the system
|
Annual Onsite Assessment
Quarterly Network Scan conducted by an Approved Scan Vendor (ASV)
|
Mandatory |
| 2 | Any merchant with more than 1 Million but less than or equal to 6 Million total combined MasterCard and Maestro transactions annually
Any merchant meeting the Level 2 criteria of Visa |
Annual Self-Assessment
Onsite Assessment at Merchant Discretion Quarterly Network Scan conducted by an Approved Scan Vendor (ASV) |
Mandatory |
| 3 | Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to 1 Million total combined MasterCard and Maestro e-commerce transactions annually
Any merchant meeting the Level 3 criteria of Visa |
Annual Self-Assessment
Quarterly Network Scan conducted by an Approved Scan Vendor (ASV)
|
Mandatory
|
| 4 | All other merchants | Annual Self-Assessment
Quarterly Network Scan conducted by an Approved Scan Vendor (ASV) |
Mandatory* |
* Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required
| Discover | |||
| Level | Definition | Validation Required | Requirement |
| 1 | All merchants processing more than 6 Million card transactions annually on the Discover network
Any merchant that Discover determines should meet the Level 1 compliance validation and reporting requirements All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant |
Annual Onsite Assessment
Quarterly Network Scan Attestation of Compliance from Report on Compliance (ROC)
|
Mandatory |
| 2 | All merchants processing between 1 Million and 6 Million card transactions annually on the Discover network | Annual Self-Assessment using PCI DSS Self-Assessment Questionnaire (SAQ)
Quarterly Network Scan Attestation of Compliance from Self-Assessment Questionnaire (SAQ) |
Mandatory |
| 3 | All merchants processing between 20,000 and 1 Million card-not-present-only transactions annually on the Discover network | Annual Self-Assessment using PCI DSS Self-Assessment Questionnaire (SAQ)
Quarterly Network Scan Attestation of Compliance from Self-Assessment Questionnaire (SAQ) |
Mandatory
|
| 4 | All other merchants | Annual Self-Assessment using PCI DSS Self-Assessment Questionnaire (SAQ)
Quarterly Network Scan Attestation of Compliance from Self-Assessment Questionnaire (SAQ) |
Mandatory* |
*If an organization does not have a direct acquiring relationship with Discover, its requirements as a Level 4 merchant may be different. These organizations should consult with their acquirer for the appropriate acquirer-determined Level 4 merchant validation and reporting requirements.
