|A||Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.|
|A-EP||E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.|
|B||Merchants using only:
|B-IP||Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.|
|C-VT||Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.|
|C||Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.|
|P2PE-HW||Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.|
|D||SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.|
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.
As the Payment Card Industry (PCI) rapidly expanded, the Payment Card Industry Security Standards Council (PCI SSC) developed a set of requirements called the Payment Card Industry Data Security Standard (PCI DSS). These specifications ensure all companies that process, store or transmit credit card information maintain a secure environment. PCI applies to all organizations or merchants that accept, transmit or store cardholder data, regardless of size or number of transactions.
This list is by no means complete, but we can guarantee that if you answer “no” to even one of the following questions, then you are not PCI compliant:
Different expectations apply to merchants. Visa, Inc. ranks merchants according to the following system, applying general PCI Compliance guidelines.
|Level||Merchant Selection Criteria||Validation Requirements|
|1||Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region||
|2||Merchants processing 1 million to 6 million Visa transactions annually (all channels)||
|3||Merchants processing 20,000 to 1 million Visa e-commerce transactions annually||
|4||Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually||