Payment Security & Reporting Service At It's Best!

A Direct Processor Sales Consultant can assist you with PCI, Security, Compliance and Reporting Services Questions.


All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-moth period. Transaction volume is based on the aggragate number of Visa transactions (inclusive of credit, debit) and in addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance. Aqcuirers may require submission of the quarterly scan reports and/or questionaires by Level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

Merchant levels and compliance validation requirements defined


Merchants processing overt 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
Annual report on Compliance ("ROC") by Qualified Security Assessor ("QSA") or internal auditor if signed by officer of the company. Quarterly network scan by Approved Scan Vendor ("ASV") Attestation of Compliance Form
Merchants processing 1 million to 6 million Visa transactions annually (all channels)
Annual Self-Assessment Questionaire ("SAQ")
Quarterly network scan by ASV
Attestation of Compliance Form
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
Annual SAQ Recommended
Quarterly network scan by ASV if applicable
Compliance validation requirements set by acquirer

1 - Compromised entities may be escalated at regional discretion
2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.
Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.

Visit Visa for More information