Download the PCI DSS

PCI DSS Compliance for Merchants

All merchants fall in to one of four levels, with varying degrees of obligation under the PCI standard. As a merchant you can see where you fall in to the scheme using the guide below.

Level 1 PCI DSS Compliance for Merchants

Level 1 PCI Merchants are:

• Any merchant – regardless of acceptance channel – processing over 6,000,000 payment card transactions per year
• Any merchant that has suffered a hack or an attack that resulted in an account data compromise
• Any merchant that the payment card vendor, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the payment card system
• Any merchant identified by any other payment card brand as Level 1

Validation for Level 1 PCI Merchants
Annual On-Site Security Audit and Quarterly Network Scans must be performed by an Independent Security Assessor, Qualified Independent Scan Vendor or Internal Audit if signed by Officer of the Company.

The compliance deadline for Level 1 PCI Merchants was Sep 30 2004.

Level 2 PCI DSS Compliance for Merchants

Level 2 PCI Merchants are:

• Any e-commerce merchant processing 1,500,000 to 6,000,000 payment card transactions per year

Validation for Level 2 PCI Merchants
Annual PCO Self Assessment Questionnaire and Quarterly Network Scans must be performed by the merchant or a Qualified Independent Scan Vendor.

The compliance deadline for Level 2 PCI Merchants was Jun 30 2005.

Level 3 PCI DSS Compliance for Merchants

Level 3 PCI Merchants are:

• Any e-commerce merchant processing 20,000 to 1,500,000 payment card transactions per year

Validation for Level 3 PCI Merchants
Annual PCO Self Assessment Questionnaire and Quarterly Network Scans must be performed by the merchant or a Qualified Independent Scan Vendor.

The compliance deadline for Level 2 PCI Merchants was Jun 30 2005.

Level 4 PCI DSS Compliance for Merchants

Level 4 PCI Merchants are:

• All merchants regardless of acceptance channel

Validation for Level 4 PCI Merchants
Annual PCO Self Assessment Questionnaire and Quarterly Network Scans must be performed by the merchant or a Qualified Independent Scan Vendor.

While compliance is mandatory for Level 4 PCI Merchants, validation is optional but strongly recommended.