The Payment Card Industry Data Security Standard (PCI DSS) is a global standard mandated by the leading Card Schemes including Visa and MasterCard to reduce the risk of card data breach.
Numbers below reflect Visa and MasterCard levels, who run their programs via Acquirers. Amex numbers are lower and they run their own program in the Australian market.
Merchants processing over 6 million transactions per annum. Require a full Report on Compliance (ROC) assessment.
Merchants processing between 1-6 million transactions. Banks in Australia are generally accepting a QSA assisted Self Assessment Questionnaires (SAQ) and will guide you on the validation required.
Between 20,000 - 1 million ecommerce transactions. Can complete SAQ or ROC if they wish.
All others merchants. Can complete SAQ or ROC if they wish.
Service providers only have 2 levels. It is perfectly acceptable for a Level 2 Service Provider to complete an SAQ rather than a full audit.
Processing over 300,000 Visa or MasterCard transaction per annum. Require a ROC assessment.
Processing less than 300,000 Visa or MasterCard transactions per annum. Can complete an SAQ, although some clients may contractually impose necessity to complete a ROC at their discretion.