4. PCI DSS defines 4 levels of merchants source: http://www.pcistandard.com/merchantlevels.html # of transactions Review by Vulnerability scan Level 1 over 6m in any channel QSA ASV (e.g. Qualys) Level 2 1m - 6m in any channel self questionnaire ASV (e.g. Qualys) Level 3 20k-1m online transactions self questionnaire ASV (e.g. Qualys) Level 4 less then 20k online or up-to 1m in any channel self questionnaire (not mandatory) ASV (e.g. Qualys) (not mandatory)
5.
6. System classification for patch management and risk management Internet Internal network Head office DMZ POS server mainframe eBusiness VPN GW acquirer setlement Network or Host IPS may lower the level by 2 Store network Critical Important High Medium Low 5 24 hours 5 days 14 days 20 days 40 days 4 5 days 10 days 20 days 1 month 2 months 3 10 days 20 days 1 month 2 months 3 months 2 6 months* Next release* Next release Next release No fix 1 no fix* no fix* no fix no fix No fix