Friday, July 31, 2009

PCI Reporting Requirements for Merchants

Facts:
- Check your PCI Merchant levels and validation requirements from the following post: http://security.24kasim.org/2009/06/pci-levels-for-merchants-2009.html

Amex

Level 1-
If compliant, Attestation of Compliance –AOC- (recommended) or exec summary of onsite security assessment report (QSA/internal) annually and quarterly network scan
If not compliant, AOC (recommended) or exec summary of onsite security assessment report and Remediation Plan annually and quarterly network scan and Remediation Plan

Level 2-
Quarterly Network Scans (and Remediation Plan if not compliant)
AOC (Recommended) or Executive Summary
In EU: PCI SAQ

Level 3- Level 4 -
No reporting Required for Amex at L3 and L4

Discover

Level 1 –
Network Merchants:
If compliant Appendix D of PCI DSS requirements and Security Assessment Procedures v1.2 - Attestation of Compliance –AOC-
If not fully compliant must also complete the Action Plan for Nono-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 2:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 3:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 4:
Network Merchants
If compliant Attestation of Compliance –AOC- from applicable SAQ maybe required
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form or Level 4 Merchant Action Plan to Discover twice a year

JCB

JCB has no reporting requirements at this time

MasterCard

Level 1-
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 2-
Acquirers annually register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 3 –
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 4-
No requirements

Visa Inc

Level 1-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 2-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 3-
At least a twice a year , a statement of merchant compliance / non-compliance

Level 4-
Set by the acquirer

Visa Europe
Level 1-
Annual statement of merchant compliance
For merchants in progress, quarterly update until compliance confirmed
Upon request a copy of Report on Compliance (ROC) including indication of scan completion

Level 2-
Annual Statement of compliance / non-compliance
For merchants in progress, quarterly update until compliance confirmed

Level 3-
Quarterly statement of compliance / non-compliance for merchants above 20000 transactions/year. Annual statement for merchant below 20000 transactions/year

Level 4:
Annual statement of compliance / non-compliance for merchants processing < 1 million Visa transactions/year.



Service Providers are not merchants so if you are providing card processing for 3rd parties (Payment Service Provider) PSP or if you are a TPP (Third Party Processor) PCI levels, validation and reporting requirements are different. The charts above are for merchants only.

No comments: