Companies that meet Level 1 must have yearly on-site reviews by an internal auditor and a required network scan by an approved scanning vendor. A full list of approved scanning vendors (ASV) and contact information is available online from the PCI Security Standards Council.

Any companies that meet PCI compliance Levels 2, 3 or 4 must complete the PCI DSS Self Assessment Questionnaire annually and undergo quarterly network security scans with an approved scanning vendor.