Required controls
If you process credit card data, you must comply with all security requirements. Which controls apply to you will be determined by a number of selection criteria.
Which controls apply to you?
| Level |
Criteria |
How to validate | Through whom to validate? |
|---|---|---|---|
| 1 |
Every trader who processes more than 6 million Visa or MasterCard transactions annually, regardless of the manner in which those transactions were accepted. Every trader who has been hacked or was put at risk by a virtual attack. Every trader who, according to Visa or MasterCard, must comply with the requirements of Level 1 to limit the risks for the Visa or MasterCard system to a minimum. |
Obligatory annual security audit on site and three-monthly scanning of the network. | Independent security expert or internal audit (subject to written approval of a responsible person within the organisation) and recognised independent scan vendors. |
| 2 |
Every trader who processes more than 1 million Visa or MasterCard operations annually. | Obligatory annual self-checking (PCI questionnaire) and three-monthly scanning of the network. | Trader and recognised independent scan vendors. |
| 3 |
Every e-commerce trader who processes 20,000 to 1 million Visa or MasterCard-transactions annually. |
Obligatory annual self-checking (PCI questionnaire) and three-monthly scanning of the network. | Trader and recognised independent scan vendors. |
| 4 |
All other traders, regardless of the manner in which the transactions were accepted. |
Advisory annual self-checking (PCI questionnaire) and three-monthly scanning of the network. | Trader and recognised independent ‘Compliance' scan vendors. |
