Tuesday March 28, 2017
PCI Discussion Forum
PDF Print E-mail
Merchant Levels and Responsibilities

Achieving and maintaining compliance with the PCI DSS is a difficult proposition for many organizations. The specificity of the required controls, and the processes and procedures required to demonstrate that the controls are managed in a secure manner requires a significant outlay of capital and resources for companies pursuing compliance.

  • Listed in a generalized format, are the different levels and requirements of a merchant regarding PCI.


    LevelDefinitionRequirements
    1Processes over 6 million transactions annuallyAnnual on-site audit by a QSA
    Quarterly scans for network vulnerability by an ASV
    2Processes 1 million to 6 million transactions annuallyAnnual on-site self assessment.
    Quarterly scans for network vulnerability by an ASV.
    3Processes 20,00 to 1 million transactions annuallyAnnual on-site self assessment.
    Quarterly scans for network vulnerability by an ASV.
    4All other merchantsAnnual on-site self assessment.
    Quarterly scans for network vulnerability by an ASV.


  • American Express does not use the format listed above. Please refer to their website for information on their definitions and requirements: https://www.americanexpress.com

 

 
Tools and Calculators

Gap Assessment Tool
Take this assessment to gain greater insight into the challenges you are facing



Business Resources