Questions? Contact Us


Latest News

Featured News & Events

Understanding PCI Levels and Types

Any merchant who accepts credit cards and has a merchant account must validate compliance. It does not matter if you use a 3rd party processor or if you outsource all of your credit card processing. It's the ownership of the merchant account that defines if you must validate compliance. The only to avoid PCI compliance is by not having a merchant account. Below are some charts which will help you decide which category and merchant type your business fits into.

Merchant levels and Compliance Validation Requirements

PCI Merchant Levels
Level Description Validation Requirements

  • Any merchant, "regardless of acceptance channel, processing over 6,000,000 Visa transactions per year

  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

  • Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

  • Any merchant identified by any other payment card brand as Level 1

  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)

  • Quarterly network scan by Approved Scan Vendor (“ASV”)

  • Attestation of Compliance Form


  • Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year

  • Annual Self-Assessment Questionnaire (“SAQ”)

  • Quarterly network scan by ASV

  • Attestation of Compliance Form


  • Any merchant processing 20,000 to 1,000,000 transactions per year.

  • Annual SAQ

  • Quarterly network scan by ASV

  • Attestation of Compliance Form


  • Any merchant processing fewer than 20,000 transactions per year.

  • Annual SAQ recommended

  • Quarterly network scan by ASV if applicable

  • Compliance validation requirements set by acquirer

Merchant Types

The “SAQ” is a self-validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.

Self-Assessment Questionnaires and Validation Types
SAQ ValidationType Description SAQ
1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data
functions outsourced. This would never apply to face-to-face merchants.
2 Imprint-only merchants with no cardholder data storage. B
3 Standalone dial-up terminal merchants, no cardholder data storage. B
4 Merchants with payment application systems connected to the Internet, no
cardholder data storage.
5 All other merchants (not included in descriptions for SAQs A, B or C above), and
all service providers defined by a card brand as eligible to complete a SAQ.

Service Provider Levels

Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. Service provider levels are defined as:

Self-Assessment Questionnaires and Validation Types
Service Provider Level Description Validation Requirements
1 Processors or any service providers that stores, processes and/or transmits over 300,000 transactions per year.

  • Annual On-Site PCI Data Security Assessment validated Qualified Security Assessor (“QSA”)

  • Quarterly network scan by Approved Scan Vendor (“ASV”)

2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year.

  • Validated by Service Provider

  • Quarterly network scan by Approved Scan Vendor (“ASV”)

By using the charts above, you should be able to easily determine your level and validation type. Knowing this details will go a long way in guiding you through your compliance but it is important to partner with other qualified businesses for your service. ZZ Servers provides PCI focused hosted infrastructure designed for PCI compliance and includes many of controls and measures required for your business infrastructure to be fully compliant. Credit Card Data Stolen
Protecting your email address from domain spoofing...

Related Posts


Tag Cloud

IT Ubuntu Geekend ICANN apache vps shared hosting network Medical Records TiaraCon cyber protection Cloud Computing Alarm credit card Credit Card Security smartphone HIDS computer security cli computer networks spf Email business video data privacy DEF CON change PCI Compliance physical security shared secure hosting dss protect data Hackers HIPPA eCommerce Solutions OSSEC PCI Solutions vyatta router firewall filter security PCI HIPAA Server Mangement PCI Hosting recovering data PCI Data Security Standards GDPR credit cards stolen Zendzian personal information Firetalk SSL members area assesment ipad Cybersecurity ZZ Servers Co-Founder VPS Servers cloud TLS IT Solutions backup solutions cloud infrastructure Car Hacking passwords search business solutions Healthcare Records safe computing phishing attacks Positive Customer Impact activesync Las Vegas lamp computing in the cloud intrusion detection vulnerability scanning Credit Cards cyber liability insurance businesses Continuous Monitoring Xen PCI DSS 3.2 cyber monday information technology motivation amazon ec2 caller-id multi-factor authentication Domani Names Charleston iphone eCommerce Interworx-CP bash PCI Medical Solutions Internet infrastructure Home Depot Breach cyber security healthcare solutions employee training log files windows 7 qsa Payment Card Industry support cell phone email Accountability Act security dsbl Sysadmin Disaster Recovery Plan social engineering business community physical cybersecurity shared server Assigned Names Internet email accounts permissions data breach trends Windows Small Business World Backup Day cyber Health Care Cybersecurity malicious software David Zendzian Compliance arduino health care providers QSA blackberry Online Business shared folders kerio credit card payment HIPAA Security Business Planning Internet Corporation National Cyber Security Awareness Month hosting control panel IT services spam Linux Web Hosting IT Services management two factor authentication Business Solutions education Vulnerability teensy cyber monitoring BSides Shmoocon pci complliant hosting business solitions Announcement HIPAA solutions follow.The HIPAA Privacy Rule CentOs HIPAA Solutions Control Panel exchange anti virus data protection small business PCI compliance black friday command line Debian INFOSEC embedded security circles Reports openssl infrastructure password IT security PCI Audit Cybersecurity Business Solutions ZZ Servers mail server Scalable Redundant Cloud Infrastructure Health Insurance Portability PCI Service Provider Information Technology DRP InterWorx compliance spoofing phishing compliant hosting logical security Hosting Presentation sender policy IT solutions