Monday, June 1, 2009

PCI Levels and Validation Requirements for Merchants 2009

This topic is always in the air so here are the official numbers for 2009 from PCI Security Standards Council the official governing body on the PCI requirements for merchants:

Facts:

- Payment Brands determine Merchant PCI levels. Payment Brands are Visa, Mastercard, Discover , Amex etc. They do have the last word on this topic

- Transaction volume is determined by Acquirer

- Transaction volume is aggregate number of transactions (chain stores do count if cards are processed centrally)

Amex

Level 1- Over 2.5 Million Amex card transactions/year, or any merchant who is Level 1 according to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans


Level 2- 50000-2.5Million Amex transactions/year, or any merchant who is Level 2 according to another Payment Brand

Action: EU only annual SAQ, Quarterly ASV scans

Level 3- Less than 50000 AMEX transactions/year

Action Quarterly ASV scans (recommended) , EU only SQA (recommended)

Level 4- N/A

Action: None

Discover

Level 1 - Over 6 Million Discover card transactions/year, anybody who Discover thinks that they level 1 (discretionary) or any merchant who is validated/reported as Level-1 to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Discover transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Discover transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- Everybody else with Discover card processing

Action: Determined by Acquirer, Annual SAQ, Quarterly ASV recommended

JCB

Level 1 - Over 1 Million JCB card transactions/year or anybody who is compromised

Action: Annual Onsite QSA audit, Quarterly ASV scans

Level 2- Less than 1 Million JCB transactions/year

Action: Annual SAQ, Quarterly ASV scans

Level 3- N/A

Action: none

Level 4- N/A

Action: None

MasterCard

Level 1- Over 6 Million Mastercard card transactions/year, or any merchant who is Level 1 according to another Payment Brand or anybody who is compromised

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Mastercard transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Mastercard “e-commerce” transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- All other Mastercard merchants

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Inc

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or any global merchant who is identified as Level 1 by Visa by any Visa Region

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 20000-1 Million Visa “e-commerce” transactions/year

Action: Action: Annual SAQ (In Canada SAQs require QSA reviews), Quarterly ASV

Level 4- Merchants processing less than 20000 e-commerce transactions/year or merchants processing up to 1M any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Europe

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or compromised merchants

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 1 (one) to 1 Million Visa “e-commerce” transactions/year

Action: Annual SAQ, Quarterly ASV or use PCI DSS certified processor for all transactions

Level 4- Merchants processing up to 1 Million any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Of course all parties who process store or transmit credit cards must follow PCI requirements (PCI-DSS) regardless of their levels.

I will cover reporting requirements for merchants in another post.

1 comment:

Anonymous said...

Hi !.
You may , perhaps curious to know how one can collect a huge starting capital .
There is no need to invest much at first. You may commense to get income with as small sum of money as 20-100 dollars.

AimTrust is what you need
AimTrust incorporates an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

It is based in Panama with affiliates around the world.
Do you want to become a happy investor?
That`s your choice That`s what you really need!

I feel good, I began to take up income with the help of this company,
and I invite you to do the same. If it gets down to choose a proper companion who uses your savings in a right way - that`s the AimTrust!.
I make 2G daily, and my first deposit was 1 grand only!
It`s easy to start , just click this link http://sikebofof.o-f.com/igafyz.html
and go! Let`s take this option together to become rich