Level 1 – Any merchant – regardless of acceptance channel – processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant identified by any other payment card brand as Level 1
Level 2 – Any merchant processing 150,000 to 6,000,000 Visa e-commerce transactions per year.
Level 3 – Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year.
Level 4 – Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6,000,000 Visa transactions per year.
The current version of the standard specifies 12 requirements for compliance, organized into 6 logically related groups, which are called “control objectives.” You can verify these requirements by doing a “self-assessment” or through one of many Qualified Security Assessors (QSAs). The good news is these QSA’s will walk you through the compliance process, step-by-step. I’ve personally gone through the compliance process with two rather large QSA’s, Control Scan and Scan Alert for a couple of reasons. For starters I wanted our company to be better educated on the process so we could answer any questions that our customers may have as they become compliant, but also I wanted to better understand the dreaded “false positive” syndrome surrounding compliance.
Stay tuned for my experiences in PCI Compliance part II!