External Vulnerability Scans (ASV)

1 .

Visa USA & CEMEA – Service Provider Levels and Validation Actions

1. All VisaNet processors (member and non-member) and all payment gateways.

Validation Actions:-

a> Annual On-Site PCI Data Security Assessment
b> Quarterly Network Scan

​

2. Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.

Validation Actions:-

a> Annual On-Site PCI Data Security Assessment
b> Quarterly Network Scan

​

3. Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually.

Validation Actions:-

a>Annual PCI Self-Assessment Questionnaire
b>Quarterly Network Scan

​

*According to Visa, payment gateways are a category of agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. Specifically, they enable payment transactions (e.g., authorization or settlement) between merchants and processors (VisaNet endpoints). Merchants may send their payment transactions directly to an endpoint, or indirectly to a payment gateway.

​

2

Visa Asia/Pacific – Service Provider Levels and Validation Actions

A> Self assessment questionnaire

More than 600,000 Visa transactions per year :- Optional

Between 120,000 and 600,000 Visa transactions per year :- Mandated

Less than 120,000 Visa transactions :- Mandated

​

B> Quarterly network scan

More than 600,000 Visa transactions per year :- Mandated

Between 120,000 and 600,000 Visa transactions per year :- Mandated

Less than 120,000 Visa transactions :- Recommended

​

c> Onsite review

More than 600,000 Visa transactions per year :- Mandated

Between 120,000 and 600,000 Visa transactions per year :- Recommended

Less than 120,000 Visa transactions :- Recommended

3

MasterCard – Service Provider Levels and Validation Actions

A> Leve 1

Description :- All TPPs. All DSE’s that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually.)

Validation Action :- 1>Annual On-Site PCI Data Security Assessment
2>Quarterly Network Scan

​

B> Leve 2

Description :-Includes all DSE’s that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually.

Validation Action :- 1>Annual PCI Self-Assessment Questionnaire
2>Quarterly Network Scan

​

​

4

PCI Data Security Standard Compliance for Merchants

Level 1:- Any merchant – regardless of acceptance channel – processing more than 6,000,000 Visa transactions per year
Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant identified by any card association as Level 1

Validation Actions :- Annual On-Site Security Audit
and Quarterly Network Scan

Validated By:- Independent Security Assessor or Internal Audit if signed by an Officer of the company
Qualified Independent Scan Vendor

​

Level 2:- 1 million – 6 million Visa or MasterCard transactions per year

Validation Actions:- Annual PCI Self-Assessment Questionnaire
and Quarterly Network Scan

Validated By:- Merchant Qualified Independent Scan Vendor

​

Level 3:- 20,000 – 1 million Visa or MasterCard e-commerce transactions per year

Validation Actions :-Annual PCI Self-Assessment Questionnaire
and Quarterly Network Scan

Validated By:-Merchant Qualified Independent Scan Vendor

​

Level 4:- Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year

Validation Actions :-Recommended Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan

Validated By:- Merchant Qualified Independent Scan Vendor
Note: While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended

​