PCI DSS Compliance

 

Payment Card Industry Security Standards Council (PCI SSC) is formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The Payment Card Industry Data Security Standard (PCI DSS) is developed to secure cardholder data (credit card and debit card).

PCI-DSS v3.2.1 is the latest standard and can be downloaded from PCI Council website (https://www.pcisecuritystandards.org/)

PCI-DSS Prioritized Approach tool can be downloaded from PCI council website.

Whom it is applicable?

PCI-DSS is applicable to all entities those either store or process or transmit cardholder data (CHD).

PCI DSS Compliance Levels:

Based on the annual number of credit or debit card transactions PCI DSS compliance level is determined. There are 4 levels:

  • PCI-DSS Level 1
  • PCI-DSS Level 2
  • PCI-DSS Level 3
  • PCI-DSS Level 4

Depends on the level of merchant/ service provide

Levels No. of transactions SAQ Required Scan by Approved Scanning vendor (ASV) Annual onsite QSA audit Submit Attestation of Compliance (AOC) report) Report on Compliance (ROC) by QSA
Level 1 Process more than 6 million transactions per year regardless of channel NA Quarterly Yes Annually Annually
Level 2 Process 1 to 6 million transactions per year Yes Quarterly NA Annually NO
Level 3 Process 20,000 to 1 million transactions per year Yes Quarterly NA Annually NO
Level 4 Process less than 20,000 transactions per year Yes Quarterly (if applicable) NA Annually NO

 

SAQ = Self Attested Questionnaire

ASV = Approved Scanning vendor

 

Self Attested Questionnaire (SAQ):

 

SAQ Description Payment Acceptance Channel No of Questions Quarterly internal Vulnerability Assessment Quarterly ASV scans Penetration test Segmentation testing? Web Application Assessment Wireless Network scans
SAQ A Card not present merchants who have fully outsourced all cardholder data functions to PCI-DSS compliant third-party service providers with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises.
It is for e-commerce/mail/telephone-order merchants.
This would never apply to face-to-face merchants.
– Card-not-present only
– e-commerce
22 No No No If Segmentation used No No
SAQ A-EP E-commerce merchants who outsource all payment processing to PCI-DSS compliant third parties who have a website that does not directly receive cardholder data but can impact the security of the transaction. Merchant website accepts payment using direct post or transparent redirect. – Card-not-present only
– e-commerce
193 Yes Yes Yes No Annually Quarterly
SAQ B Merchants with only imprint machine or only standalone dial-out payment terminals, and have no electronic storage, processing or transmission of cardholder data.
Not for e-commerce environment
– Card-not-present
– Card present
41 No No No No No No
SAQ B-IP Merchants with standalone, IP connected payment terminals.
No e-commerce or electronic cardholder data storage.
– Card-not-present
– Card present
84 No Yes If Segmentation used No No No
SAQ C-VT Merchants with web-based virtual terminal connected to the internet and have no electronic storage, processing or transmission of cardholder data.
Not for the e-commerce environment
– Card-not-present
– Card present
79 No No If Segmentation used No No No
SAQ C Merchants with payment application systems connected to the internet and have no electronic storage, processing or transmission of cardholder data.
Not for e-commerce environment
– Card-not-present
– Card present
160 Yes Yes If Segmentation used If Segmentation used Annually Quarterly
SAQ P2PE Merchants using only hardware payment terminals included in and managed via a validated PCI SSC listed P2PE solution.
No e-commerce or electronic cardholder data storage.
– Card-not-present
– Card present
33 No No No No No No
SAQ D Merchant All SAQ eligible merchants not meeting the criteria of any other SAQ type – Card-not-present
– Card present
– e-commerce
328 Yes Yes Yes If Segmentation used Annually Quarterly
SAQ D Service Provider All service providers defined by a payment brand as being SAQ eligible – Card-not-present
– Card present
– e-commerce
370 Yes Yes Yes If Segmentation used Annually Quarterly

 

Cybernetic Global Intelligence is a PCI QSA Company.  Our experts will make SAQ compliance and attestation process easier. For more details contact us.

Related Articles