We use cookies to give you the best browsing experience and to help us understand how you use our site. Cookies are small snippets of data stored on your computer and some have already been set. By continuing to use our website you are accepting our use of cookies. To find out more, read about cookies

Please note

We cannot answer specific queries about your account here. For Account queries please

Your selected question

What is my responsibility as a PCI DSS compromised level 1 merchant?

Once a merchant has suffered a compromise, they will be re-classified as a Level 1. As a level 1 the merchant must employ the services of a Qualified Security Assessor (QSA). The QSA will carry out an onsite visit which will lead to a Pre-Audit and then provide the merchant with a remediation plan.

The merchant must then carry out the work required in order to become compliant. A QSA must then revisit the site and carry out a final audit. Ultimately this will lead to the QSA compiling a Report of Compliance (RoC) which is what is required by the Acquirer to satisfy the card schemes that the merchant has met the relevant PCI DSS criteria. If external network vulnerability scans are required these must be carried out by an Approved Scanning Vendor (ASV) and must be clean scans to accompany the RoC in order to gain compliant status.

Once the merchant has obtained a compliant status they must maintain this status for a period of one year. At the end of that year the merchant will be reassessed to their normal level (dependent on transaction volumes) and they should continue to revalidate their compliance against that level.

How useful did you find the answer given?

Not at all Very useful