PCI Level 2 Requirements

0Tolerance is a listed Payment Card Industry (PCI) Qualified Security Assessor (QSA) and can help you understand the PCI Level 2 requirements.

PCI Level 2 Requirements

The PCI Data Security Standard (PCI DSS) is a contractual requirement set forth by the PCI Security Standards Council (PCI SSC) to protect cardholder data. It applies to any organization that stores, processes, or transmits cardholder data, regardless of the size or number of transactions. It also applies to organizations that impact the security of card transactions. The PCI DSS protects cardholder data by requiring organizations to implement security controls and best practices. Level 2 organizations must undergo annual self-assessments performed by a PCI-certified Internal Security Assessor (ISA) or third-party Qualified Security Assessor (QSA) to ensure that their security controls are effective and comply with the PCI DSS. in some cases, the QSA must perform an annual Report on Compliance (ROC), which goes beyond a Self-Assessment Questionnaire (SAQ).

PCI Level 2 Service Provider Requirements

In the context of the PCI DSS, service providers are organizations that provide services to other organizations that handle cardholder data. Examples of service providers include payment processors, hosting providers, and managed service providers. Service Providers can be either Level 1 or Level 2. Level 2 Service Providers have options for a third-party QSA audit performed by a QSA or the Self-Assessment Questionnaire Type D for Service Providers attested by a PCI ISA or assisted by a PCI QSA.

PCI Service Provider Requirements

PCI Level 2 Merchant Requirements

Merchants, on the other hand, are organizations that accept credit and debit card payments from customers. They are responsible for ensuring that their payment systems are PCI DSS compliant. There are four levels of merchants based on transaction volume and how cards are accepted, ranging from Levels 1 through 4. Level 2 Merchants often self-assess but are frequently asked by their stakeholders to engage a QSA to assist with the self-assessment.

PCI Merchant Requirements

PCI Penetration Testing Requirements

Must be performed by a qualified resource who is free of conflict of interest with the organization.

Who needs it?

  • Level 2 Service Providers must undergo a full annual pen test.
  • Level 2 Service Providers must undergo a second annual pen test for segmentation testing purposes (6 months from the full test).
  • Level 2 Merchants completing SAQ Type A-EP must undergo external network penetration and internal network segmentation testing.
  • Level 2 Merchants completing SAQ Type B-IP must undergo internal network segmentation testing.
  • Level 2 Merchants completing SAQ Type C must undergo internal network segmentation testing.
  • Level 2 Merchants completing SAQ Type C-VT must undergo internal network segmentation testing.
  • Level 2 Merchants completing SAQ Type D must undergo external network pen testing, full internal network pen testing, and internal network segmentation testing.

PCI External Vulnerability Scanning Requirements

Must be performed by a PCI Approved Scanning Vendor.

Who needs it?

  • Level 2 Service Providers
  • Level 2 Merchants completing SAQ Types A-EP, B-IP, C, or D.

PCI Internal Vulnerability Scanning Requirements

Who needs it?

  • Level 2 Service Providers
  • Level 2 Merchants completing SAQ Types C or D
startup, business, people

QSA Services for Merchants and Service Providers

We perform the following engagements

PCI Penetration Testing

0Tolerance performs penetration testing and segmentation testing for PCI purposes.

Penetration testing 1
PCI Approved Scanning Vendor

PCI Approved Scanning Vendor

0Tolerance offers an industry-leading ASV solution that has been customized to our needs for your benefit.

We Help you Avoid costly Payment Card Breaches