Security Vulnerability Assessment
Services & Products
Main
External Network
Security Assessments
Internal Network
Security Assessments
Website Security Audit
Special Security
Assessment Services
PCI Services
Casino IT Audits       
Redspin Security
Audit Engine    
Schedule an Educational Call with a Redspin Engineer — 30 Minutes Free of Charge!
* = Required Information
* Your Name:
* Company:
* Email:
* Telephone:
Request A Quote
Assessment Services Assessment Tools Security Research About Us Contact Us
Redspin PCI Services
PCI Merchant Levels and Validation Requirements
The following table outlines the Visa merchant levels and the validation requirements for each level.
Go to the Visa website for more information:
Visa Merchant Requirements
Visa Merchant Levels and the Validation Requirements
Merchant Level Description Validation Action Validated By Due Date
Level 1
  • Any merchant – regardless of acceptance channel – processing over 6,000,000 Visa transactions per year.
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
  • Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Any merchant identified by any other payment card brand as Level 1.
  • Annual On-site PCI Data Security Assessment
  • Quarterly Network Scan
  • Qualified Security Assessor or Internal Audit if signed by Officer of the company
  • Approved Scanning Vendor
9/30/04
New level 1 merchants have up to one year from identification to validate.
Level 2 Any merchant – regardless of acceptance channel – processing 1,000,000 to 6,000,000 Visa transactions per year.
  • Annual PCI Self-Assessment Questionnaire
  • Quarterly Network Scan
  • Merchant
  • Approved Scanning Vendor
 New level 2 merchants: 9/30/2007
Level 3 Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
  • Annual PCI Self-Assessment Questionnaire
  • Quarterly Network Scan
  • Merchant
  • Approved Scanning Vendor
 6/30/05
Level 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants – regardless of acceptance channel – processing up to 1,000,000 Visa transactions per year.
  • Annual PCI Self-Assessment Questionnaire
  • Quarterly Network Scan
  • Merchant
  • Approved Scanning Vendor
 Validation requirements and dates are determined by the merchant's acquirer


The following table outlines the MasterCard merchant levels and the validation requirements for each level. For more information on MasterCard merchant requirements please see
Go to the MasterCard website for more information:
Mastercard Merchant Requirements
MasterCard Merchant Levels and the Validation Requirements
Merchant Level Criteria Onsite Review Self Assessment Network Security Scan Initial Compliance Validation Date
Level 1
  • All merchants, including electronic commerce merchants, with more than 6 million total MasterCard transactions annually
  • All merchants that experienced an account compromise
  • All Merchants of a competing card payment brand that meet the Level 1 transaction criteria as set forth in the PCI framework
 Required Annually Not Required Required Quarterly 30-Jun-05
Level 2
  • All merchants with more than one million total MasterCard transactions but less than six million total transactions annually
  • All merchants meeting the Level 2 criteria of a competing payment brand
 Not Required Required Annually Required Quarterly 30-Jun-04
Level 3
  • All merchants with annual MasterCard e-commerce transactions greater than 20,000 but less than one million total transactions
  • All merchants meeting the Level 3 criteria of a competing payment brand
 Not Required Required Annually Required Quarterly 30-Jun-05
Level 4 All other merchants Not Required Required Annually Required Quarterly Consult Acquirer


The following table outlines the American Express merchant levels and the validation requirements for each level. For more information on American Express merchant requirements please go to Data Security section of the American Express merchant homepage found here:
Go to the Data Security section of the American Express website for more information:
American Express Merchant Requirements
American Express Merchant Levels and the Validation Requirements
Merchant Level Definition Validation Documentation Requirement
Level 1 2.5 million American Express Card transactions or more per year; or any merchant that has had a data incident; or any merchant that American Express otherwise deems a Level 1. Annual Onsite Security Audit Report, and Quarterly Network Scan Mandatory
Level 2 50,000 to 2.5 million American Express Card transactions per year Quarterly Network Scan Mandatory
Level 3 Less than 50,000 American Express Card transactions per year Quarterly Network Scan Strongly Recommended


For information about the validation requirements of other credit cards, please consult the credit card issuer or the acquirer.

©2008 Redspin, Inc. All rights reserved. Home  |  Services & Products  |  Industries  |  Compliance  |  Resources  |  About Us  |  Contact Us
Site Design and Development by Petro Design Co.

External Network Security Assessments

Internal Network Security Assessments

Website Security Audit

Special Security Assessment Services

PCI Services

Redspin Audit Engine

Casino IT Audtis

Eight Questions to Ask Your Security Auditor

FirewallCAT

WinCAT-AD

fTrace

Crackulator

Redspin Research

Technical Resources

Regulatory Resources

Security Management Advisory

Corporate Ethos

Environmental Ethos

Redspin In The News

Press Releases

Careers

Contact Us

Request Pricing