PCI Compliance

The Payment Card Industry (PCI) Security Standards Council (an organization formed by the card brands) created the PCI Data Security Standard (DSS) to help merchants protect customer account data. If you are a merchant that stores, processes or transmits cardholder data, or a service provider which does this on behalf of a merchant, you are responsible for protecting this information and complying with the PCI DSS. Failure to comply could result in costly fines, audit costs, restrictions or worse should a breach occur.

FirstCard has partnered with the industry leader in PCI support, ControlScan. The combination of FirstCard and ControlScan ensures that our merchants have the best level of PCI support available. Our dedicated PCI staff will work with you and Control Scan to make sure that you are fully PCI compliant. We strongly encourage all of our merchants to achieve full compliance with the PCI Security Standard and repeatedly remind any merchants who are not compliant to rectify that immediately.

You can learn more about PCI from the PCI Security Standards Council here.


Merchant Levels

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level.

Merchant Level*Description
1Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region**
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
4Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Source:  Visa Merchant Level Security Standards

*Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
**A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels