PCI Levels

Merchant levels

 

Level 1

  • Processing more than 6 million Visa, Mastercard, or Discover transactions annually via any channel
  • Processing more than 2.5 million American Express transactions annually
  • Processing more than 1 million JCB transactions annually
  • Have suffered a data breach that resulted in cardholder data being compromised
  • Have been identified by another card issuer as Level 1

Requirements:

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance (AOC) Form

Level 2

  • Processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel
  • Processing between 50,000 to 2.5 million American Express transactions annually
  • Processing less than 1 million JCB transactions annually

Requirements:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance (AOC) Form

Level 3

  • Processing between 20,000 and 1 million Visa e-commerce transactions annually
  • Processing 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually
  • Process 20,000 to 1 million Discover card-not-present only transactions annually
  • Less than 50,000 American Express transactions

Requirements:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 4 

  • Processing less than 20,000 Visa or Mastercard e-commerce transactions annually
  • Processing up to 1 million Visa or Mastercard transactions annually

Requirements:

  • SAQ and Quarterly Network Scan by ASV
Credit card front and back. Front includes Chip, PAN, Cardholder name, Expiration date, CID (American Express) (Red text), Back includes CAV2/CID/CVC2/CVV2 (all other payment card brands) and Magnetic strip (Data on tracks 1& 2) (Red text)

Self-Assessment Questionnaires (SAQ) types

 

SAQ A 

  • Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers
  • No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises
  • Not applicable to face-to-face channels

SAQ A-EP 

  • E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction
  • No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises
  • Applicable only to e-commerce channels.

SAQ B 

  • Merchants using only: Imprint machines with no electronic cardholder data storage
  • Standalone, dial-out terminals with no electronic cardholder data storage
  • Not applicable to e-commerce channels.

SAQ B-IP

  • Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor
  • No electronic cardholder data storage
  • Not applicable to e-commerce channels.

SAQ C-VT 

  • Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider
  • No electronic cardholder data storage
  • Not applicable to e-commerce channels.

SAQ C

  • Merchants with payment application systems connected to the Internet
  • No electronic cardholder data storage
  • Not applicable to e-commerce channels.

SAQ P2PE-HW 

  • Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution
  • No electronic cardholder data storage
  • Not applicable to e-commerce channels

SAQ D (Merchant)

  • All merchants not included in descriptions for the above SAQ types

SAQ D (Service Providers) 

  • All service providers (NOT merchant) defined by a payment brand as eligible to complete a SAQ
Mobile phone with credit card application open being placed on a credit card reader. Text on credit card reader says processing.

EMVCo certification levels

 

Level 1: Hardware

  • Device/terminal meets physical requirements, electromagnetic and communication protocols and operating distance tests.
  • Applies to both contact EMV and contactless EMV.
  • The hardware supplier is responsible for Level 1.

Level 2: Software Kernel / Library

  • The software that facilitates transmission of payment information from credit card.
  • One common specification for EMV contact.
  • Each card brand has own specification for EMV contactless.
  • Typically, hardware supplier is responsible for Level 2, but may depend on software running internally on the payment terminal.

Level 3: Brand certification

  • End-to-end EMV transaction certification consisting of L1 hardware, L2 kernel, payment application, gateway/processor and brand approval.
  • The solution provider is usually responsible for Level 3.

Let us help you with PCI compliance

PCI Compliance