Do not mistake “Levels” for “Types”!
In newsletter #4 we saw that the payment brands classify organizations accepting and processing credit cards into “levels.” Levels are related to the number of transaction processed annually on the payment brand networks and are used to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete.
So, pay attention: do not mistake “levels” for “types," which is another classification used in the context of PCIco.
What is it all about?
If “levels” are associated with the number of transactions processed annually, “types” are associated with the way organizations handle and process cardholder data. They are used to determine which sections and requirements of the PCI bible are applicable to these organizations.
So to know which sections of PCI DSS apply to your organization, you need to know your type.
Side note: As “types” determine relevant sections and requirements of PCI DSS, they are closely related to the self-assessment questionnaires that organizations are asked to complete as part of the validation procedure.
What are the 9 "types"?
If “levels” are independently defined by each payment brand, “types” have been defined conjointly by all brands. There are nine types namely:
Type A: Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
Type A-EP: E-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
Type B: Merchants who process cardholder data only via imprint machines or standalone, dial-out terminals.
Type B-IP: Merchants who process cardholder data only via standalone, PTS-approved point-of-interaction (POI) devices with an IP connection to the payment processor.
Type PE2P: Merchants using only hardware terminals as part of a validated P2PE solution listed by PCI SSC.
Type C-VT: Merchants who process cardholder data only via isolated virtual terminals on personal computers connected to the Internet.
Type C: Merchants whose payment application systems are connected to the Internet.
Type S: Service providers
Type D: All other merchants who do not meet the above descriptions.
For more information about the way to determine your type, please review the PCI Data Security Standard Self-Assessment Questionnaire.