Merchant Level Chart
| Merchant Level | Selection Criteria | Validation Actions | Validated By |
|---|---|---|---|
| One | Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1 |
Annual On-Site Security Audit (1) and Quarterly Network Scan |
Independent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor |
| Two | 1 million - 6 million Visa or MasterCard transactions per year |
Visa MasterCard |
Merchant Qualified Independent Scan Vendor |
| Three | 20,000 - 1 million Visa or MasterCard e-commerce transactions per year | Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan |
Merchant Qualified Independent Scan Vendor |
| Four | Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year |
Visa MasterCard |
Merchant Qualified Independent Scan Vendor Validation requirements and dates for Level 4 merchants are determined by the merchant's acquirer. Submission of scan reports and/or questionnaires by level 4 merchants may be required. |
1. Effective 30 June 2011, MasterCard Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
2. Effective 30 June 2011, MasterCard Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attends PCI SSC-offered merchant training programs, and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
