Has anyone included steps on how to go about finding out what merchant level one is and then from there find out what kind of validation requirements are necessary and then which SAQ forms to fill out, etc etc?

IE. a complete guide to customers from finding out your merchant level to what to do if you're this level and how to implement the POS?

I've never seen this since I was recently tasked to do an Implementation Guide #2 for our other entity, I thought I'd put it all in one kinda of deal.

Curious as to what you QSAs think of this - what are the cons in doing this?

Merchant level does not and should not effect an application's implementation guide. While the majority of an application's customers might be merchant level 4, the software could be used by any merchant at any level and you cannot anticipate that fact. Therefore, you need to write your Implementation Guide for the worst case, merchant level 1.

Merchant level does not and should not effect an application's implementation guide. While the majority of an application's customers might be merchant level 4, the software could be used by any merchant at any level and you cannot anticipate that fact. Therefore, you need to write your Implementation Guide for the worst case, merchant level 1.


I understand that merchant level does not influence/effect an application's IG, however, i was wondering whether to to put in a section on how to determine what level one is at and how to go about doing this in the guide so that our customers can do this themselves without calling us and ask us as if we (our company) has a responsibility making sure that they are compliant. As a payment application provider, we are only responsible for making sure our applications/hardware are PA-DSS compliant. We are not responsible to make sure that our customrs are PCI-DSS compliant. I thought I'd spell it out in a flowchart manner to assist them in understanding the steps and also to stress to them that just because they have a PCI compliant application, this does not mean they are PCI compliant! Many of our customers are holding this attitude that they will be compliant as soon as they upgrade to this version and that version.

Do you see any downfall in adding this?

While I admire your willingness to assist your customers, I think you should just stick to pointing them to the PCI SSC and their Web site and leave it to that. What you develop today to explain the process, is likely not what the process will be 6 to 12 months from now.