External Vulnerability Scans (ASV)

All entities including merchants, service providers and financial institutions must get a quarterly scan completed to remain compliance with the PCI DSS standards. The table below lists the Quarterly network scan requirements for service providers by region.

Visa USA & CEMEA- Service Provider Levels and Validation Actions

Level 1

All VisaNet processors (member and non-member) and all payment gateways

Annual On-Site PCI DSS Assessment
Quarterly Network Scan

Level 2

Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.

Annual On-Site PCI DSS Assessment
Quarterly Network Scan

Level 3

Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually.

PCI Self-Assessment Questionnaire
Quarterly Network Scan

According to Visa, payment gateways are a category of agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. Specifically, they enable payment transactions (e.g., authorization or settlement) between merchants and processors (VisaNet endpoints). Merchants may send their payment transactions directly to an endpoint, or indirectly to a payment gateway.

Visa Asia/Pacific-Service Provider Levels and Validation Actions

Self Assessment Questionnaire

More than 600,000 Visa transactions per year :- Optional
Between 120,000 and 600,000 Visa transactions per year :- Mandated
Less than 120,000 Visa transactions :- Mandated

Quarterly Network Scan

More than 600,000 Visa transactions per year :- Mandated
Between 120,000 and 600,000 Visa transactions per year :- Mandated
Less than 120,000 Visa transactions :- Recommended

Onsite Review

More than 600,000 Visa transactions per year :- Mandated
Between 120,000 and 600,000 Visa transactions per year :- Recommended
Less than 120,000 Visa transactions :- Recommended

MasterCard

Level 1

All TPPs. All DSE's that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually.)

Annual On-Site PCI Data Security Assessment
Quarterly Network Scan

Level 2

Includes all DSE's that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually.

PCI Self-Assessment Questionnaire
Quarterly Network Scan

PCI Data Security Standard Compliance for Merchants

Level 1

Any merchant – regardless of acceptance channel – processing more than 6,000,000 Visa transactions per yearAny merchant that has suffered a hack or an attack that resulted in an account data compromiseAny merchant identified by any card association as Level 1

Validated by: Independent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor

Annual On-Site Audit
Quarterly Network Scan

Level 2

1 million – 6 million Visa or MasterCard transactions per year

Validated by: Merchant Qualified Independent Scan Vendor

Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan

Level 3

20,000 – 1 million Visa or MasterCard e-commerce transactions per year

Validated by: Merchant Qualified Independent Scan Vendor

Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan

Level 4

Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year

Validated by: Merchant Qualified Independent Scan VendorNote: While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended

Recommended Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan