PCI Validation Requirements

PCI validation requirements for merchants vary depending on sales volume and how transactions are processed. Here are the requirements based on ‘Merchant Level':

Merchant Level	Description	PCI Validation Requirements
1	Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year. Any merchant that a card association, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to cardholders and issuers.	Annual On-site PCI Data Security Assessment by qualified Security Assessor or Internal Audit if signed by company Officer, and Quarterly Network Scan by approved scanning vendor.
2	Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year.	Annual PCI Self-Assessment Questionnaire by merchant, and Quarterly Network Scan by approved scanning vendor.
3	Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year.	Annual PCI Self-Assessment Questionnaire by merchant, and Quarterly Network Scan by approved scanning vendor.
4	Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 transactions per year.	Annual PCI Self-Assessment Questionnaire by merchant, and Quarterly Network Scan by approved scanning vendor (if required by payment service provider).

Sales1 (866) 663-6132

Resources

	Security Assessor Procedures
	Qualified Security Assessors
	Scanning Procedures
	Approved Scanning Vendors
	Self-Assessment Questionnaire (SAQ)