Step 1 Determine Your Level
|Merchant Level||Criteria||Onsite Security Assessment||Self-Assessment Questionnaire (SAQ)||Network Vulnerability Scan|
|Level 1||At least 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover||Required Annually||Not Applicable||Required Quarterly|
|Level 2||1 million to 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover||At Merchant Discretion*||Required Annually*||Required Quarterly|
|Level 3||20K to 1 million ecommerce transactions annually from any acceptance channel for Visa, MasterCard or Discover||Not Applicable||Required Annually||Required Quarterly|
|Level 4||Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel for Visa, MasterCard or Discover||Not Applicable||Required Annually||Required Quarterly|
* Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
|Service Provider Level||Criteria||Onsite Security Assessment||Self-Assessment Questionnaire||Network Vulnerability Scan|
|Level 1||More than 300,000 transactions annually for Visa or MC||Required Annually||Not Applicable||Required Quarterly|
|Level 2||300,000 or less transactions annually for Visa or MC||Not Applicable||Required Annually (SAQ – D)||Required Quarterly|
Step 2 Identify your validation type, determine which Self-Assessment Questionnaire is appropriate for your business, and complete the SAQ
|SAQ Validation Type||Description||SAQ|
|Type 1||Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.||A|
|Type 2||Imprint-only merchants with no cardholder data storage||B|
|Type 3||Stand-alone dial-up terminal merchants, no cardholder data storage||B|
|Type 4||Merchant with payment application systems connected to the internet, no cardholder data storage.||C|
|Type 5||All other merchants (not included in descriptions for SAQs A – C above) and all service providers defined by payment brand as eligible to complete an SAQ.||D|
Step 3 Complete and obtain evidence of passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
It is required for Validation Type 4 and 5—those merchants with external facing IP addresses.
Please contact our PCI Compliance department at 1-877-267-4324 (option 8) for assistance in obtaining a passing vulnerability scan or for general inquires.