At least 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover
1 million to 6 million transactions annually from any acceptance channel for Visa, MasterCard or Discover
At Merchant Discretion*
20K to 1 million ecommerce transactions annually from any acceptance channel for Visa, MasterCard or Discover
Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel for Visa, MasterCard or Discover
* Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
Service Provider Level
Onsite Security Assessment
Network Vulnerability Scan
More than 300,000 transactions annually for Visa or MC
300,000 or less transactions annually for Visa or MC
Required Annually (SAQ – D)
Step 2 Identify your validation type, determine which Self-Assessment Questionnaire is appropriate for your business, and complete the SAQ
SAQ Validation Type
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
Imprint-only merchants with no cardholder data storage
Stand-alone dial-up terminal merchants, no cardholder data storage
Merchant with payment application systems connected to the internet, no cardholder data storage.
All other merchants (not included in descriptions for SAQs A – C above) and all service providers defined by payment brand as eligible to complete an SAQ.
Step 3 Complete and obtain evidence of passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
It is required for Validation Type 4 and 5—those merchants with external facing IP addresses.
Please contact our PCI Compliance department at 1-877-267-4324 (option 8) for assistance in obtaining a passing vulnerability scan or for general inquires.