PCI-DSS

Is your acquiring financial institution threatening to fine your...

Penetration Testing

What is penetration testing?

Security Risk Assessments

Do I really need a Security Risk Assessment?

Vulnerability Management

Why is Vulnerability Management necessary?

PCI-DSS

Is your acquiring financial institution threatening to fine your business for PCI non-compliance?

Don’t ignore the warnings.

If your business accepts payment cards in-person, over the phone, or on-line, there are 4 PCI-DSS merchant levels (and corresponding compliance requirements) you have to be informed about:

Level 1: Merchants processing more than 6,000,000 Visa transactions annually.

PCI Requirements:

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
  • Quarterly network scan by Approved Scanning Vendor (ASV)
  • Penetration Test
  • Internal Scan
  • Attestation of Compliance Form

Level 2: Merchant processing of 1,000,000 - 6,000,000 Visa transactions annually.

PCI Requirements:

  • Annual Self-Assessment Questionnaire (SAQ) if the organization has a certified Internal Security Assessor (ISA) on staff
  • Onsite Assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
  • Additional requirements depending on SAQ type (e.g., Penetration Test, Internal Scan)

Level 3: Merchant processing of 20,000 - 1,000,000 Visa e-commerce transactions annually.

PCI Requirements:

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
  • Additional requirements depending on SAQ type (e.g., Penetration Test, Internal Scan)
  • Level 4: Merchant processing of less than 20,000 Visa e-commerce transactions annually and all other merchants processing of up to 1 million Visa transactions annually.

    PCI Requirements:

    • Annual SAQ
    • Quarterly network scan by ASV
    • Attestation of Compliance Form
    • Additional requirements

    Merchant in this context refers to your organization (an entity that accepts Visa or Mastercard) and the levels are the ranking of transactions processed within a period of 52 weeks. The acquiring bank is the financial institution your organization receives card payments through. Acquiring banks are also dubbed by the PCI-SSC as the PCI compliance vendor. If you are at risk of being fined by your bank and not sure what PCI requirement your organization need to adhere to, Keyes Security has an experienced team that can assess your payment card environment and helps you with the correct compliance requirement.