Final answer:
Level 1 and 2 merchants are required to include a Report on Compliance (ROC) and, depending on the card brand requirements, a Self-Assessment Questionnaire (SAQ) as part of their PCI DSS compliance reporting. Quarterly network scans by an ASV and an Attestation of Compliance (AOC) are also required.
Step-by-step explanation:
Level 1 and 2 merchants must include a Report on Compliance (ROC) as part of their PCI DSS compliance validation reporting process. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. For Level 1 merchants, which typically process over 6 million Visa transactions per year, the ROC must be completed by a Qualified Security Assessor (QSA) or an Internal Auditor if signed off by an officer of the company. Level 2 merchants, processing 1 to 6 million Visa transactions annually, can either complete a Self-Assessment Questionnaire (SAQ) or a ROC, depending on the card brand requirements.
Additionally, both levels are required to undergo a quarterly network scan by an Approved Scanning Vendor (ASV) and submit an Attestation of Compliance (AOC). Understanding and abiding by PCI DSS requirements is essential for merchants to protect cardholder data and avoid potential security breaches that can lead to severe penalties.