Use the following chart to determine your Service Provider level and PCI DSS validation requirements.
| Level |
Description |
Validation Action |
Validated By |
| 1 |
VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year.* |
- Annual on-site PCI Data Security Assessment and ROC
- QuarterlyNetwork Scan
|
- Qualified Security Assessor
- Approved Scanning Vendor
|
| 2 |
Any service provider that stores, processes and/or transmits less than 300,000 transactions per year.** |
- Annual PCI Self-Assessment Questionnaire
- Quarterly Network Scan
|
- Service Provider
- Approved Scanning Vendor
|
*Eliminates payment gateway definition from several existing regional programs.
**Effective February 1, 2009, Level 2 service providers will no longer be listed on Visa's List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider.
Note that there may be significant business value in being included on Visa’s list of compliant service providers published at http://www.visa.com/cisp. For this reason Level 2 service providers may choose to incur the time and expense to be validated as a Level 1 service provider.