Contact Us

Contact Us

Please get in touch using the form below

I prefer to be contacted by:
View our privacy policy
Find out if your organisation has been compromised by the Zerologon Windows server vulnerability. Download Zerologon Detector.

Overview

Understand your route to PCI DSS compliance

To understand how the PCI DSS applies to your organisation, it’s important to refer to each card payment brand’s PCI validation requirements.

As a general rule, merchants and service providers will fall into one of four levels, based on the annual volume of card data transacted. Categorisation will affect the minimum standards expected and the requirement to complete either a Self-Assessment-Questionnaire (SAQ) or Reports on Compliance (ROC). All level one merchants and service providers – organisations that process millions of transactions annually – are required to undergo an onsite assessment.

The SAQ varies and it is important to choose the most appropriate version for the payment scenario.

PCI SAQs

Which PCI SAQ is right for your organisation?

Merchants are encouraged to contact their merchant bank (acquirer) or the applicable payment brand(s) to identify the appropriate SAQ based on their eligibility. The main PCI SAQ types are listed below:

PCI SAQ A

Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS-validated third-party service providers and do not store, process or transmit cardholder data on in-house systems or premises.

PCI SAQ A-EP

E-commerce merchants who outsource all payment processing to PCI DSS-validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

PCI SAQ B

Merchants using imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage.

PCI SAQ B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.

PCI SAQ C

Merchants with payment application systems connected to the internet that electronically store cardholder data.

PCI SAQ C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS-validated third-party service provider. No electronic cardholder data storage.

PCI SAQ P2PE-HW

Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.

PCI SAQ D

Includes merchants not covered by any other SAQ types as well as service providers defined by a payment brand as eligible to complete a SAQ.

More

More about PCI DSS compliance

For more information about PCI DSS compliance:

Get in touch

Complete the form for a prompt response from our team.

I prefer to be contacted by:
View our privacy policy

Resources

Discover our latest content and resources

From the blog
From the blog Case studies Latest news
28th October 2020
Redscan announces new Capture The Flag event
Redscan today announced that it is running a Capture The Flag event between 18-21 November. The event is free to take part in and themed around the Initial Access stage of the MITRE Att&ck framework.  Learn more and register
27th October 2020
Victims of ransomware struggle to recover, recruit and spend on threat prevention
A new survey suggests organisations affected by ransomware are almost three times as likely to view themselves as “significantly behind” in addressing cyber threats. The survey reveals ransomware victims spend proportionally less time on threat prevention and more time on response compared with unaffected organisations.
20th October 2020
Remote working leaving UK businesses more vulnerable to cyber-attacks
New research suggests that while 60% of UK businesses experienced a cyber-attack and 44% of them were hit by a data breach over the past 12 months, 37% don't have a cyber incident response plan.  
6th October 2020
Europol report warns of cybercriminals targeting people working from home
Europol, the European Union police agency, has warned in a new report that cybercriminals are targeting people who are spending more time online due to the pandemic.