This topic is always in the air so here are the official numbers for 2009 from PCI Security Standards Council the official governing body on the PCI requirements for merchants:
Facts:
- Payment Brands determine Merchant PCI levels. Payment Brands are Visa, Mastercard, Discover , Amex etc. They do have the last word on this topic
- Transaction volume is determined by Acquirer
- Transaction volume is aggregate number of transactions (chain stores do count if cards are processed centrally)
Amex
Level 1- Over 2.5 Million Amex card transactions/year, or any merchant who is Level 1 according to another Payment Brand
Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans
Level 2- 50000-2.5Million Amex transactions/year, or any merchant who is Level 2 according to another Payment Brand
Action: EU only annual SAQ, Quarterly ASV scans
Level 3- Less than 50000 AMEX transactions/year
Action Quarterly ASV scans (recommended) , EU only SQA (recommended)
Level 4- N/A
Action: None
Discover
Level 1 - Over 6 Million Discover card transactions/year, anybody who Discover thinks that they level 1 (discretionary) or any merchant who is validated/reported as Level-1 to another Payment Brand
Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans
Level 2- 1-6 Million Discover transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand
Action: Annual SAQ, Quarterly ASV scans
Level 3- 20000-1 Million Discover transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand
Action: Annual SAQ, Quarterly ASV
Level 4- Everybody else with Discover card processing
Action: Determined by Acquirer, Annual SAQ, Quarterly ASV recommended
JCB
Level 1 - Over 1 Million JCB card transactions/year or anybody who is compromised
Action: Annual Onsite QSA audit, Quarterly ASV scans
Level 2- Less than 1 Million JCB transactions/year
Action: Annual SAQ, Quarterly ASV scans
Level 3- N/A
Action: none
Level 4- N/A
Action: None
MasterCard
Level 1- Over 6 Million Mastercard card transactions/year, or any merchant who is Level 1 according to another Payment Brand or anybody who is compromised
Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans
Level 2- 1-6 Million Mastercard transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand
Action: Annual SAQ, Quarterly ASV scans
Level 3- 20000-1 Million Mastercard “e-commerce” transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand
Action: Annual SAQ, Quarterly ASV
Level 4- All other Mastercard merchants
Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended
Visa Inc
Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or any global merchant who is identified as Level 1 by Visa by any Visa Region
Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form
Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),
Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form
Level 3- 20000-1 Million Visa “e-commerce” transactions/year
Action: Action: Annual SAQ (In Canada SAQs require QSA reviews), Quarterly ASV
Level 4- Merchants processing less than 20000 e-commerce transactions/year or merchants processing up to 1M any channel Visa transactions/year
Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended
Visa Europe
Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or compromised merchants
Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form
Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),
Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form
Level 3- 1 (one) to 1 Million Visa “e-commerce” transactions/year
Action: Annual SAQ, Quarterly ASV or use PCI DSS certified processor for all transactions
Level 4- Merchants processing up to 1 Million any channel Visa transactions/year
Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended
Of course all parties who process store or transmit credit cards must follow PCI requirements (PCI-DSS) regardless of their levels.
I will cover reporting requirements for merchants in another post.