Questions? Contact Us


Latest News

Featured News & Events

Understanding PCI Levels and Types

Any merchant who accepts credit cards and has a merchant account must validate compliance. It does not matter if you use a 3rd party processor or if you outsource all of your credit card processing. It's the ownership of the merchant account that defines if you must validate compliance. The only to avoid PCI compliance is by not having a merchant account. Below are some charts which will help you decide which category and merchant type your business fits into.

Merchant levels and Compliance Validation Requirements

PCI Merchant Levels
Level Description Validation Requirements

  • Any merchant, "regardless of acceptance channel, processing over 6,000,000 Visa transactions per year

  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

  • Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

  • Any merchant identified by any other payment card brand as Level 1

  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)

  • Quarterly network scan by Approved Scan Vendor (“ASV”)

  • Attestation of Compliance Form


  • Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year

  • Annual Self-Assessment Questionnaire (“SAQ”)

  • Quarterly network scan by ASV

  • Attestation of Compliance Form


  • Any merchant processing 20,000 to 1,000,000 transactions per year.

  • Annual SAQ

  • Quarterly network scan by ASV

  • Attestation of Compliance Form


  • Any merchant processing fewer than 20,000 transactions per year.

  • Annual SAQ recommended

  • Quarterly network scan by ASV if applicable

  • Compliance validation requirements set by acquirer

Merchant Types

The “SAQ” is a self-validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.

Self-Assessment Questionnaires and Validation Types
SAQ ValidationType Description SAQ
1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data
functions outsourced. This would never apply to face-to-face merchants.
2 Imprint-only merchants with no cardholder data storage. B
3 Standalone dial-up terminal merchants, no cardholder data storage. B
4 Merchants with payment application systems connected to the Internet, no
cardholder data storage.
5 All other merchants (not included in descriptions for SAQs A, B or C above), and
all service providers defined by a card brand as eligible to complete a SAQ.

Service Provider Levels

Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. Service provider levels are defined as:

Self-Assessment Questionnaires and Validation Types
Service Provider Level Description Validation Requirements
1 Processors or any service providers that stores, processes and/or transmits over 300,000 transactions per year.

  • Annual On-Site PCI Data Security Assessment validated Qualified Security Assessor (“QSA”)

  • Quarterly network scan by Approved Scan Vendor (“ASV”)

2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year.

  • Validated by Service Provider

  • Quarterly network scan by Approved Scan Vendor (“ASV”)

By using the charts above, you should be able to easily determine your level and validation type. Knowing this details will go a long way in guiding you through your compliance but it is important to partner with other qualified businesses for your service. ZZ Servers provides PCI focused hosted infrastructure designed for PCI compliance and includes many of controls and measures required for your business infrastructure to be fully compliant. Credit Card Data Stolen
Protecting your email address from domain spoofing...

Related Posts


Tag Cloud

business community ZZ Servers Co-Founder information technology passwords log files anti virus BSides HIDS Cloud Computing QSA credit card business solitions Payment Card Industry dss command line Zendzian PCI Hosting smartphone VPS Servers cloud infrastructure social engineering InterWorx Healthcare Records dsbl cyber liability insurance credit card payment HIPAA solutions sender policy Continuous Monitoring business Shmoocon Ubuntu Internet infrastructure credit cards stolen health care providers security activesync Linux employee training Sysadmin qsa Small Business Email Windows change spoofing spam eCommerce Solutions blackberry Announcement Positive Customer Impact Interworx-CP cybersecurity Scalable Redundant Cloud Infrastructure DRP GDPR PCI Audit businesses PCI DSS 3.2 PCI Compliance SSL IT security arduino motivation Security computer networks ICANN mail server malicious software data privacy backup solutions Server Mangement phishing attacks video physical security cli Xen email accounts bash Accountability Act Domani Names CentOs intrusion detection Geekend small business search embedded shared folders Credit Cards Debian Medical Records Business Solutions Las Vegas Home Depot Breach protect data phishing teensy computer security IT Solutions cyber openssl permissions cyber monitoring INFOSEC TiaraCon Cybersecurity Vulnerability education lamp Credit Card Security password windows 7 caller-id ipad Disaster Recovery Plan Online Business compliant hosting safe computing hosting control panel support two factor authentication apache Firetalk multi-factor authentication shared server Reports cyber monday Cybersecurity Business Solutions Control Panel IT solutions data protection Medical Solutions World Backup Day physical exchange PCI Alarm Internet HIPAA spf vyatta router firewall filter security PCI HIPAA Information Technology black friday PCI compliance vps computing in the cloud PCI Service Provider IT services Hosting IT Services Car Hacking Charleston Health Care Cybersecurity personal information business solutions security circles network Health Insurance Portability Hackers IT eCommerce healthcare solutions pci complliant hosting shared hosting PCI Data Security Standards HIPAA Solutions cloud trends infrastructure Compliance OSSEC Assigned Names follow.The HIPAA Privacy Rule Presentation cyber protection ZZ Servers iphone HIPPA PCI Solutions vulnerability scanning shared secure hosting assesment Web Hosting David Zendzian National Cyber Security Awareness Month amazon ec2 compliance cyber security Business Planning data breach kerio Internet Corporation recovering data members area DEF CON cell phone email TLS management logical security