All merchants that store, process or transmit cardholder data must be PCI compliant as per the requirements. Each merchant that is categorized as a Level 1, Level 2 or Level 3 merchant is required to report its compliance status directly to its acquiring bank.
Generally, level 1 merchants are required to validate through an annual onsite assessment. This may require the merchant to hire a QSA company to perform the assessment, or they may be able to perform the assessment by using their own internal resources, such as their internal audit department or their Internal Security Assessor (ISA). However, all merchants should review the specific payment brand requirements for restrictions or limitations before performing their assessment by using internal resources or ISA personnel.
Level 2 merchants may be eligible to complete a self-assessment and if so, would submit a self-assessment questionnaire for their validation. However, some restrictions may apply and all level 2 merchants should check the payment brand requirements before undertaking a self-assessment.
Validation for level 3 and 4 merchants is typically determined by each payment brand or acquirer for that merchant. These merchants need to contact their acquirers for guidance on what their validating and reporting responsibilities are.