APPENDIX B: MERCHANT LEVELS DEFINED - COMPLIANCE VALIDATION REQUIREMENTS

Validation requirements for credit card merchants based on annual transaction volume and payment channel.

 
Level Merchant Qualification Criteria
(# of Transactions Processed)
Annual Reporting
Requirements
External
Vulnerability Scans
Implied
Risk
1 >6M Visa transactions annually (all payment channels); merchants elevated to Level 1 by Visa
  • Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Attestation of Compliance (AOC) form
Quarterly by an Approved Scanning Vendor (ASV) Highest
2 Between 1M-6M Visa transactions annually (all channels)
  • Annual SAQ
  • AOC
Quarterly ASV High
3 20K up to 1M Visa e-commerce transactions annually
  • Annual SAQ
  • AOC
Quarterly ASV Medium
4 <20K Visa e-commerce & up to 1M Visa transactions annually
(all payment channels)
  • Annual SAQ (recommended)*
Quarterly ASV (if applicable)* Lowest

*Compliance validation requirements set by acquirer


 

  1. Policy
  2. Purpose
  3. General Responsibilities
  4. Merchant Responsibilities
  5. New Merchant Accounts
  6. Established Merchant Accounts
  7. Universal Compliance Requirements
  8. Important Links for Merchants

APPENDIX A:  12 PRIMARY REQUIREMENTS OF PCI DATA SECURITY STANDARDS
APPENDIX B:  MERCHANT LEVELS DEFINED - COMPLIANCE VALIDATION REQUIREMENTS
APPENDIX C:  SAQ & TRUSTWAVE SCAN REQUIREMENTS