PCI Merchant Requirements
0 Tolerance is a listed Payment Card Industry (PCI) Qualified Security Assessor (QSA) and can help you understand the PCI Merchant requirements.
PCI Merchant Requirements
The PCI Data Security Standard (PCI DSS) is a contractual requirement set forth by the PCI Security Standards Council (PCI SSC) to protect cardholder data. It applies to any organization that stores, processes, or transmits cardholder data, regardless of the size or number of transactions. It also applies to organizations that impact the security of card transactions. The PCI DSS protects cardholder data by requiring organizations to implement security controls and best practices. Level 1 organizations must undergo annual third-party Qualified Security Assessor (QSA) audits to ensure that their security controls are effective and comply with the PCI DSS.
Merchants are organizations that accept credit and debit card payments from customers. They are responsible for ensuring that their payment systems are PCI DSS compliant. There are four levels of merchants based on transaction volume and how cards are accepted, ranging from Levels 1 through 4. Level 1 Merchants must undergo a third-party audit. Level 2 Merchants sometimes have third-party and self-assessment options. Levels 3 to 4 generally self-assess.
PCI Penetration Testing Requirements
Must be performed by a qualified resource who is free of conflict of interest with the organization.
Who needs it?
- Level 1 Merchants must undergo a full annual pen test.
- Level 2-4 Merchants completing SAQ Type A-EP must undergo external network penetration and internal network segmentation testing.
- Level 2-4 Merchants completing SAQ Type B-IP must undergo internal network segmentation testing.
- Level 2-4 Merchants completing SAQ Type C must undergo internal network segmentation testing.
- Level 2-4 Merchants completing SAQ Type C-VT must undergo internal network segmentation testing.
- Level 2-4 Merchants completing SAQ Type D must undergo external network pen testing, full internal network pen testing, and internal network segmentation testing.
PCI External Vulnerability Scanning Requirements
Must be performed by a PCI Approved Scanning Vendor.
Who needs it?
- Level 1 Merchants
- Level 2-4 Merchants completing SAQ Types A-EP, B-IP, C, or D.
PCI Internal Vulnerability Scanning Requirements
Who needs it?
- Level 1 Merchants
- Level 2-4 Merchants completing SAQ Types C or D


QSA Services for Merchants and Service Providers
We perform the following engagements
- Level 1 Compliance Assessments (Report on Compliance)
- Level 2 Compliance Assessments (Assisted SAQ)
- Gap, Risk and Readiness Assessments
PCI Penetration Testing
0Tolerance performs penetration testing and segmentation testing for PCI purposes.
- External network and application pen testing
- Internal network pen testing
- Segmentation testing




PCI Approved Scanning Vendor
0Tolerance offers an industry-leading ASV solution that has been customized to our needs for your benefit.
- External vulnerability scans for ASV purposes
- Attestations of Scan Compliance (AoSC) and Seals
- Complete the Self-Assessment Questionnaire(s) Online