All merchants are required to comply to the same PCI DSS standards. It is the annual number of payment card transactions that define the level of proof that a merchant must provide to be considered compliant. A low volume retailer may only have to provide a Self Assessment Questionnaire (SAQ), answering the compliance questions within the PCI DSS, while a larger volume retailer will be required to have an Qualified Security Assessor (QSA), come on-site to evaluate the company’s security policies and practices and to create an in-depth Report on Compliance (ROC).
The PCI Security Standards Council defined four merchant levels that will determine the necessary evidence a merchant (you) must provide. The required level of proof for PCI Compliance will depend on the merchant level that you fall into based on the total number of annual payment card transactions you process. While it is the payment brand (e.g., Visa, MasterCard, etc...) or acquirer that will determine which level a merchant falls into, it is up to that merchant to ultimately navigate through the PCI DSS to become and remain fully compliant. AO:Compliance can assist you in determining your merchant level, as well as, achieving and maintaining full PCI compliance.
Level 1 is any merchant that does over 6,000,000 transactions a year. Basically you need to bring an assessor on-site called a QSA to evaluate your security and create an in-depth Report On Compliance for you. Quarterly PCI Scans are also required.
Level 2 is any merchant that does between 1,000,000 and 6,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 2 merchants to complete a Self-Assessment Questionnaire (SAQ) instead. Quarterly PCI Scans are also required. Level 2 merchants also have an extra one-page form that takes about 5 minutes to fill out that basically states that they don't keep certain types of credit card information on file.
Level 3 is any merchant that does between 20,000 and 1,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 3 merchants to complete a Self-Assessment Questionnaire (SAQ) instead. Quarterly PCI Scans are also required.
Level 4 is any merchant that does between 1 and 20,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 4 merchants to complete a Self-Assessment Questionnaire (SAQ) instead. Quarterly PCI Scans are also required.
The vast majority of retail merchants will fall into levels 2 - 4 where the basic requirements are similar with the exception of the additional on-site self assessment form for Level 2. All three levels require quarterly PCI Scans performed by an Approved Scanning Vendor (ASV) and need to complete an annual Self-Assessment Questionnaire (SAQ). AO:Compliance specialists can work with you to reduce PCI scope and potential data vulnerabilities that can result in significant cost savings and reduced liability. If you currently store customer payment card information on your servers, AO:Compliance specialists can work with you to transition this storage to your payment gateway provider like Authorize.net, LinkPoint, Paypal, etc. This one modification can greatly increase the protection of your customer data and reduce the SAQ requirements.
AO:Compliance specialists are ready to help guide you through all the current and upcoming PCI standards to get you compliant quickly and efficiently. From the smaller level 4 merchants to the largest retail chains, AO:Compliance specialists understand that IT resources are already strained (or even non-existent). Navigating the process to achieving PCI compliance can be a tremendous burden on your IT resources that AccuCode’s AO:Compliance solution can help offset or supplement.