Payment Card Industry Security Standards Council (PCI SSC) is formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The Payment Card Industry Data Security Standard (PCI DSS) is developed to secure cardholder data (credit card and debit card).
PCI-DSS v3.2.1 is the latest standard and can be downloaded from PCI Council website (https://www.pcisecuritystandards.org/)
PCI-DSS Prioritized Approach tool can be downloaded from PCI council website.
Whom it is applicable?
PCI-DSS is applicable to all entities those either store or process or transmit cardholder data (CHD).
PCI DSS Compliance Levels:
Based on the annual number of credit or debit card transactions PCI DSS compliance level is determined. There are 4 levels:
- PCI-DSS Level 1
- PCI-DSS Level 2
- PCI-DSS Level 3
- PCI-DSS Level 4
Depends on the level of merchant/ service provide
| Levels | No. of transactions | SAQ Required | Scan by Approved Scanning vendor (ASV) | Annual onsite QSA audit | Submit Attestation of Compliance (AOC) report) | Report on Compliance (ROC) by QSA |
| Level 1 | Process more than 6 million transactions per year regardless of channel | NA | Quarterly | Yes | Annually | Annually |
| Level 2 | Process 1 to 6 million transactions per year | Yes | Quarterly | NA | Annually | NO |
| Level 3 | Process 20,000 to 1 million transactions per year | Yes | Quarterly | NA | Annually | NO |
| Level 4 | Process less than 20,000 transactions per year | Yes | Quarterly (if applicable) | NA | Annually | NO |
SAQ = Self Attested Questionnaire
ASV = Approved Scanning vendor
Self Attested Questionnaire (SAQ):
| SAQ | Description | Payment Acceptance Channel | No of Questions | Quarterly internal Vulnerability Assessment | Quarterly ASV scans | Penetration test | Segmentation testing? | Web Application Assessment | Wireless Network scans |
| SAQ A | Card not present merchants who have fully outsourced all cardholder data functions to PCI-DSS compliant third-party service providers with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises. It is for e-commerce/mail/telephone-order merchants. This would never apply to face-to-face merchants. | – Card-not-present only – e-commerce | 22 | No | No | No | If Segmentation used | No | No |
| SAQ A-EP | E-commerce merchants who outsource all payment processing to PCI-DSS compliant third parties who have a website that does not directly receive cardholder data but can impact the security of the transaction. Merchant website accepts payment using direct post or transparent redirect. | – Card-not-present only – e-commerce | 193 | Yes | Yes | Yes | No | Annually | Quarterly |
| SAQ B | Merchants with only imprint machine or only standalone dial-out payment terminals, and have no electronic storage, processing or transmission of cardholder data. Not for e-commerce environment | – Card-not-present – Card present | 41 | No | No | No | No | No | No |
| SAQ B-IP | Merchants with standalone, IP connected payment terminals. No e-commerce or electronic cardholder data storage. | – Card-not-present – Card present | 84 | No | Yes | If Segmentation used | No | No | No |
| SAQ C-VT | Merchants with web-based virtual terminal connected to the internet and have no electronic storage, processing or transmission of cardholder data. Not for the e-commerce environment | – Card-not-present – Card present | 79 | No | No | If Segmentation used | No | No | No |
| SAQ C | Merchants with payment application systems connected to the internet and have no electronic storage, processing or transmission of cardholder data. Not for e-commerce environment | – Card-not-present – Card present | 160 | Yes | Yes | If Segmentation used | If Segmentation used | Annually | Quarterly |
| SAQ P2PE | Merchants using only hardware payment terminals included in and managed via a validated PCI SSC listed P2PE solution. No e-commerce or electronic cardholder data storage. | – Card-not-present – Card present | 33 | No | No | No | No | No | No |
| SAQ D Merchant | All SAQ eligible merchants not meeting the criteria of any other SAQ type | – Card-not-present – Card present – e-commerce | 328 | Yes | Yes | Yes | If Segmentation used | Annually | Quarterly |
| SAQ D Service Provider | All service providers defined by a payment brand as being SAQ eligible | – Card-not-present – Card present – e-commerce | 370 | Yes | Yes | Yes | If Segmentation used | Annually | Quarterly |
Cybernetic Global Intelligence is a PCI QSA Company. Our experts will make SAQ compliance and attestation process easier. For more details contact us.