There are four different levels, each with their own requirements.
Your business will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’).
Merchant levels as defined by Visa:
- Level 1 is any merchant, regardless of acceptance channel, processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimise risk to the Visa system.
- Level 2 is any merchant, regardless of acceptance channel, processing 1M to 6M Visa transactions per year.
- Level 3 is any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
- Level 4 is any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1M Visa transactions per year.
* Any business that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.
We only do eCommerce. Which SAQ should we use?
It depends on how your shopping cart is set up. See PCI DSS v4.0 and the Evolution of the Self-Assessment Questionnaire (SAQ) for E-commerce Merchants.
Do organisations using third-party processors have to be PCI DSS compliant?
Yes. Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS.
My company doesn’t store credit card data, so PCI compliance does it apply to us?
If you accept credit or debit cards as a form of payment, then PCI compliance applies to you. The storage of card data is risky, so if you don’t store card data, then becoming secure and compliant may be easier.
For more information, visit the PCI Security Standards website.