Merchants

Criminals are becoming increasingly sophisticated in how they break into systems. It is, therefore, critical that merchants take steps to secure their systems to limit their exposure to account data compromises.

The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security best practices which, when implemented correctly, will assist retailers in protecting their systems and help maintain the trust of their customers.

Merchant levels and compliance validation requirements

All merchants will fall into one of four merchant levels based on Visa transaction volume over a 12-month period. The following guide indicates the volume of transactions and the appropriate validation requirements at each level.


Level*

Merchant criteria Validation requirements

1

Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.**

  • Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance form

2

Merchants processing one million to six million Visa transactions annually via all channels.

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance form

3

Merchants processing 20,000 to one million Visa e-commerce transactions annually.

  • Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com)
     
    OR
  • Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)

4

E-commerce merchants only

Merchants processing fewer than 20,000 Visa e-commerce transactions annually. 

  • Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com)
     
    OR

  • Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
 

Non e-commerce merchants

Merchants processing up to one million Visa transactions annually.

  • Annual SAQ
  • Quarterly network scan by an ASV
  • Attestation of Compliance form


* Compromised entities may be escalated at regional discretion
** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels.

Resources