In order to maintain some sort of order within PCI Compliance, VISA and MasterCard have created 4 risk levels that will apply to any particular business, for determining the risk level of a merchant.
| Merchant Level |
Description |
Validation Requirements |
| Level 1 |
Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region. |
Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor if signed by officer of the company.
Quarterly network scan by Approved Scan Vendor (ASV).
Attestation of Compliance Form. |
| Level 2 |
Merchants processing 1 million to 6 million Visa transactions annually (all channels). |
Annual Self-Assessment Questionnaire (SAQ).
Quarterly network scan by ASV.Attestation of Compliance Form. |
| Level 3 |
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually. |
Annual Self-Assessment Questionnaire (SAQ).
Quarterly network scan by ASV.
Attestation of Compliance Form. |
| Level 4 |
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually. |
Annual SAQ recommended.
Quarterly network scan by ASV if applicable.
Compliance validation requirements set by acquirer. |