Merchants need to know

All merchants that store, process or transmit cardholder data must be PCI compliant. Each merchant that is categorized as a Level 1, Level 2 or Level 3 merchant is required to report compliance status directly to its acquiring bank.

Determining merchant level often raises questions. Mastercard recommends that merchants contact their acquiring bank, and with assistance from the bank, merchants can then complete the following steps:

Determine merchant level using Mastercard transaction volume from the most recent 52-week period
Confirm necessary PCI validation requirements
Engage an approved vendor, as appropriate, and follow the validation procedures

Once a merchant has been verified as compliant, the merchant must submit the validation requirements to its acquiring bank, which will then report the merchant’s compliance status to Mastercard.

Criteria

Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant having more than six million total combined Mastercard and Maestro transactions annually
Any merchant meeting the Level 1 criteria of Visa
Any merchant that Mastercard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system

Requirements

Annual onsite assessment¹
Quarterly network scan conducted by an ASV²

Compliance date

30 June 2012³

Criteria

Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually
Any merchant meeting the Level 2 criteria of Visa

Requirements

Annual self-assessment⁴
Onsite assessment at merchant discretion⁴
Quarterly network scan conducted by an ASV²

Compliance date

30 June 2012⁴

Criteria

Any merchant with more than 20,000 but less than or equal to one million combined Mastercard and Maestro e-commerce transactions annually
Any merchant meeting the Level 3 criteria of Visa

Requirements

Annual self-assessment
Quarterly network scan conducted by an ASV²

Compliance date

30 June 2005

Criteria

All other merchants⁵

Requirements

Annual self-assessment
Quarterly network scan conducted by an ASV²

Compliance date

Consult acquirer

1. Effective 30 June 2012, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.

2. Quarterly network scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).

3. Initial compliance date of June 2005 for Level 1 merchants has now passed. The 30 June 2012 deadline is for PCI SSC ISA training and certification only and is for those merchants that choose to conduct an annual onsite assessment using an internal auditor.

4. Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire.

5. Level 4 merchants are required to comply with the PCI DSS. Level 4 merchants should consult their acquirer to determine if compliance validation is also required.