Do not mistake “Levels” for “Types”!

In newsletter #4 we saw that the payment brands classify organizations accepting and processing credit cards into “levels.” Levels are related to the number of transaction processed annually on the payment brand networks and are used to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete.

So, pay attention: do not mistake “levels” for “types," which is another classification used in the context of PCIco.

What is it all about?

If “levels” are associated with the number of transactions processed annually, “types” are associated with the way organizations handle and process cardholder data. They are used to determine which sections and requirements of the PCI bible are applicable to these organizations.

So to know which sections of PCI DSS apply to your organization, you need to know your type.

Side note: As “types” determine relevant sections and requirements of PCI DSS, they are closely related to the self-assessment questionnaires that organizations are asked to complete as part of the validation procedure.

What are the 5 "types"? 

If “levels” are independently defined by each payment brand, “types” have been defined conjointly by all brands. There are five types namely: A, B, C-VT, C and D.

Type A: Merchants who do not store cardholder data in electronic form and do not process or transmit any cardholder data on their systems or premises. 

Type B: Merchants who process cardholder data only via imprint machines or standalone, dial-out terminals.

Type C-VT: Merchants who process cardholder data only via isolated virtual terminals on personal computers connected to the Internet.

Type C: Merchants whose payment application systems are connected to the Internet.

Type D: All other merchants who do not meet the above descriptions.

Reference:

For more information about the way to determine your type, please review the PCI Data Security Standard Self-Assessment Questionnaire.