PCI DSS Compliance

 

Payment Card Industry Security Standards Council (PCI SSC) is formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The Payment Card Industry Data Security Standard (PCI DSS) is developed to secure cardholder data (credit card and debit card).

PCI-DSS v3.2.1 is the latest standard and can be downloaded from PCI Council website (https://www.pcisecuritystandards.org/)

PCI-DSS Prioritized Approach tool can be downloaded from PCI council website.

Whom it is applicable?

PCI-DSS is applicable to all entities those either store or process or transmit cardholder data (CHD).

PCI DSS Compliance Levels:

Based on the annual number of credit or debit card transactions PCI DSS compliance level is determined. There are 4 levels:

  • PCI-DSS Level 1
  • PCI-DSS Level 2
  • PCI-DSS Level 3
  • PCI-DSS Level 4

Depends on the level of merchant/ service provide

LevelsNo. of transactionsSAQ RequiredScan by Approved Scanning vendor (ASV)Annual onsite QSA auditSubmit Attestation of Compliance (AOC) report)Report on Compliance (ROC) by QSA
Level 1Process more than 6 million transactions per year regardless of channelNAQuarterlyYesAnnuallyAnnually
Level 2Process 1 to 6 million transactions per yearYesQuarterlyNAAnnuallyNO
Level 3Process 20,000 to 1 million transactions per yearYesQuarterlyNAAnnuallyNO
Level 4Process less than 20,000 transactions per yearYesQuarterly (if applicable)NAAnnuallyNO

 

SAQ = Self Attested Questionnaire

ASV = Approved Scanning vendor

 

Self Attested Questionnaire (SAQ):

 

SAQDescriptionPayment Acceptance ChannelNo of QuestionsQuarterly internal Vulnerability AssessmentQuarterly ASV scansPenetration testSegmentation testing?Web Application AssessmentWireless Network scans
SAQ ACard not present merchants who have fully outsourced all cardholder data functions to PCI-DSS compliant third-party service providers with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises.
It is for e-commerce/mail/telephone-order merchants.
This would never apply to face-to-face merchants.
– Card-not-present only
– e-commerce
22NoNoNoIf Segmentation usedNoNo
SAQ A-EPE-commerce merchants who outsource all payment processing to PCI-DSS compliant third parties who have a website that does not directly receive cardholder data but can impact the security of the transaction. Merchant website accepts payment using direct post or transparent redirect.– Card-not-present only
– e-commerce
193YesYesYesNoAnnuallyQuarterly
SAQ BMerchants with only imprint machine or only standalone dial-out payment terminals, and have no electronic storage, processing or transmission of cardholder data.
Not for e-commerce environment
– Card-not-present
– Card present
41NoNoNoNoNoNo
SAQ B-IPMerchants with standalone, IP connected payment terminals.
No e-commerce or electronic cardholder data storage.
– Card-not-present
– Card present
84NoYesIf Segmentation usedNoNoNo
SAQ C-VTMerchants with web-based virtual terminal connected to the internet and have no electronic storage, processing or transmission of cardholder data.
Not for the e-commerce environment
– Card-not-present
– Card present
79NoNoIf Segmentation usedNoNoNo
SAQ CMerchants with payment application systems connected to the internet and have no electronic storage, processing or transmission of cardholder data.
Not for e-commerce environment
– Card-not-present
– Card present
160YesYesIf Segmentation usedIf Segmentation usedAnnuallyQuarterly
SAQ P2PEMerchants using only hardware payment terminals included in and managed via a validated PCI SSC listed P2PE solution.
No e-commerce or electronic cardholder data storage.
– Card-not-present
– Card present
33NoNoNoNoNoNo
SAQ D MerchantAll SAQ eligible merchants not meeting the criteria of any other SAQ type– Card-not-present
– Card present
– e-commerce
328YesYesYesIf Segmentation usedAnnuallyQuarterly
SAQ D Service ProviderAll service providers defined by a payment brand as being SAQ eligible– Card-not-present
– Card present
– e-commerce
370YesYesYesIf Segmentation usedAnnuallyQuarterly

 

Cybernetic Global Intelligence is a PCI QSA Company.  Our experts will make SAQ compliance and attestation process easier. For more details contact us.

Related Articles