PCI merchant classification and requirements
The answer is, depends on how big a business you are
In the previous blog post, we discussed the needs for PCI. The obvious extension to that is who needs to be in compliance?
The answer is, depends on how big a business you are. Below is a list of requirements taken from Visa’s web site.
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
* Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
* Quarterly network scan by Approved Scan Vendor (“ASV”)
* Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
* Annual SAQ
* Quarterly network scan by ASV
* Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer
It is estimated that there are only a few hundreds of level 1 merchants in the country. There are more level 2 merchants. Without a question the vast majority of merchants fall into level 3 and 4. Note that the credit card transactions count applies to all channels. So even you may only have a small online operation, you may still be subjected to stricter rules if your other businesses are big enough.
You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
I’m so glad I found this site…Keep up the good work