PCI Scanning

You’ve got a business to run, yet today’s threat landscape demands that you quickly address your business’s security weaknesses. Effectively addressing the business’s security needs involves isolating the environment that attackers could exploit. But how can you isolate the environment if its boundaries are unclear?

The Moving Target of PCI Scope

When it comes to accurately analyzing your risk, understanding PCI scope is critical. This alone can be a daunting task. PCI scope is the totality of how your organization’s people, processes and systems interact with PAN data (your customers’ 16-digit credit card numbers). Scope is a moving target because, as your organization grows and changes over time, so does your organization’s PCI scope.

During times of rapid change, it can be easy to lose track of your company’s PCI scope. Change includes allowing vendors, partners or clients to connect to your network; upgrading or changing to new systems; adding or losing employees; merging with or spinning off business units; a sudden spike or drop in business; and moving employees around within the organization.
There are times when a company has several of these internal changes happening at the same time and in all likelihood its scope has grown without anyone knowing how or where.

Defining the Boundaries

PAN data can end up being stored in or transiting through components of your infrastructure that no one ever suspected would even remotely touch it. That’s a problem because you can’t protect something you don’t even realize needs protecting, and you can’t properly assess risk if you’re not looking at where the risks are located.

This is where the value of a third-party IT risk assessment is apparent. An independent assessor finds the boundaries of your company’s scope and works with you to build your understanding of how your business processes impact that scope.

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

What are the PCI compliance ‘levels’ and how are they determined?

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

Merchant levels as defined by Visa

Merchant Level Description


Level 1
Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.


Level 2
Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.


Level 3
Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.


Level 4
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.