All merchants that store, process or transmit cardholder data must be PCI compliant. Each merchant that is categorized as a Level 1, Level 2 or Level 3 merchant is required to report compliance status directly to its acquiring bank.
Determining merchant level often raises questions. Mastercard recommends that merchants contact their acquiring bank and with assistance from the bank, merchants can then complete the following steps:
Determine merchant level using Mastercard transaction volume from the most recent 52-week period
Confirm necessary PCI validation requirements
Engage an approved vendor, as appropriate, and follow the validation procedures
Once a merchant had been verified as compliant, the merchant must submit the validation requirements to its acquiring bank, which then will report the merchant’s compliance status to Mastercard.
Visit pcisecuritystandards.org for the most updated information
A detailed assessment performed by a PCI SSC certified Qualified Security Assessor (QSA) or by a certified Internal Security Assessor (ISA). The assessment validates to the acquirer that the organization is handling card data in accordance with the Payment Card Industry Data Security Standards (PCI DSS).
Applies to: Level 1 and 2 Merchants
Validation tool primarily used by merchants and service providers not required to undergo an onsite assessment in self-evaluating their compliance with the PCI DSS.
Applies to: Levels 2, 3 and 4 Merchants
Vulnerability Scanning performed by a PCI SSC Approved Scanning Vendor (ASV) of all Internet–facing system components that are a part of, or provide a path to, the cardholder data environment.
Applies to: All Merchants (as applicable)