PCI DSS

 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standard relating to card processing. They were first put into place in 2004, and are updated on a regular basis. Compliance with PCI DSS is mandatory for any organization that handles cards from any of the major card schemes. The standards are managed by the PCI Security Standards Council.


SELF-ASSESSMENT QUESTIONAIRE (SAQ)


Certification for merchant levels 2, 3 or 4 (basically any merchant processing up to 6 million transaction per year, see below for detailed level criteria) can be achieved using a Self-Assessment Questionnaire (SAQ). There are different types of SAQ, you will need to ensure you select the one that matches the way you wish to process cards. 


SAQ A

  • Merchant website is entirely hosted and managed by a PCI-compliant, third-party payment processor, OR 
  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, where no elements of the page originate from the merchant website. 


SAQ A-EP 

  • Merchant website creates a payment form and “direct posts” payment data to PCI-compliant, third-party payment processor, OR:
  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, BUT some elements of the payment page originate from the merchant website. (Elements could be JavaScript, CSS or any other functionality that supports how the payment page is created.) 


Note: SAQ A-EP is the minimum requirement for using the managed form method. 



SAQ D-Merchant 

  • E-commerce merchant that cannot meet the criteria for SAQ A or SAQ A-EP, OR 
  • E-commerce merchant that stores credit card data, OR 
  • Payment pages are delivered from the merchant’s website. 

 

Note: SAQ D-Merchant is the minimum requirement for using the own form method. 



MERCHANT LEVELS 

The merchant level is based mainly on the number of card transactions processed per year.

 

Level 1

Merchant Criteria:

  • Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year. 
  • Any merchant that has had a data breach or attack that resulted in any account data compromise. 
  • Any merchant identified by any card association as Level 1. 

 

Validation Requirements: 

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) – also commonly known as a Level 1 onsite assessment. 
  • Quarterly network scan by Approved Scan Vendor (ASV). 
  • Attestation of Compliance.

 

Level 2 

Merchant Criteria: 

  • 1 million to 6 million transactions annually (all channels).

 

Validation Requirements: 

  • Annual Self-Assessment Questionnaire (SAQ). 
  • Quarterly network scan by Approved Scan Vendor (ASV). 
  • Attestation of Compliance. 


Level 3

Merchant Criteria: 

  • Merchants processing 20,000 to 1 million e-commerce transactions annually. 

 

Validation Requirements: 

  • Annual Self-Assessment Questionnaire (SAQ). 
  • Quarterly network scan by Approved Scan Vendor (ASV). 
  • Attestation of Compliance. 


Level 4 

Merchant Criteria: 

  • Less than 20,000 e-commerce transactions annually. 

 

Validation Requirements: 

  • Annual Self-Assessment Questionnaire (SAQ). 
  • Quarterly network scan by Approved Scan Vendor (ASV). 
  • Attestation of Compliance.