Facts:
- Check your PCI Merchant levels and validation requirements from the following post: http://security.24kasim.org/2009/06/pci-levels-for-merchants-2009.html
Amex
Level 1-
If compliant, Attestation of Compliance –AOC- (recommended) or exec summary of onsite security assessment report (QSA/internal) annually and quarterly network scan
If not compliant, AOC (recommended) or exec summary of onsite security assessment report and Remediation Plan annually and quarterly network scan and Remediation Plan
Level 2-
Quarterly Network Scans (and Remediation Plan if not compliant)
AOC (Recommended) or Executive Summary
In EU: PCI SAQ
Level 3- Level 4 -
No reporting Required for Amex at L3 and L4
Discover
Level 1 –
Network Merchants:
If compliant Appendix D of PCI DSS requirements and Security Assessment Procedures v1.2 - Attestation of Compliance –AOC-
If not fully compliant must also complete the Action Plan for Nono-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year
Level 2:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year
Level 3:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year
Level 4:
Network Merchants
If compliant Attestation of Compliance –AOC- from applicable SAQ maybe required
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form or Level 4 Merchant Action Plan to Discover twice a year
JCB
JCB has no reporting requirements at this time
MasterCard
Level 1-
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly
Level 2-
Acquirers annually register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly
Level 3 –
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly
Level 4-
No requirements
Visa Inc
Level 1-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)
Level 2-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)
Level 3-
At least a twice a year , a statement of merchant compliance / non-compliance
Level 4-
Set by the acquirer
Visa Europe
Level 1-
Annual statement of merchant compliance
For merchants in progress, quarterly update until compliance confirmed
Upon request a copy of Report on Compliance (ROC) including indication of scan completion
Level 2-
Annual Statement of compliance / non-compliance
For merchants in progress, quarterly update until compliance confirmed
Level 3-
Quarterly statement of compliance / non-compliance for merchants above 20000 transactions/year. Annual statement for merchant below 20000 transactions/year
Level 4:
Annual statement of compliance / non-compliance for merchants processing < 1 million Visa transactions/year.
Service Providers are not merchants so if you are providing card processing for 3rd parties (Payment Service Provider) PSP or if you are a TPP (Third Party Processor) PCI levels, validation and reporting requirements are different. The charts above are for merchants only.
Friday, July 31, 2009
PCI Reporting Requirements for Merchants
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment