What is PCI DSS?

Definition

PCI DSS (Payment Card Industry Data Security Standard) is a set of rules that ensure online credit card transactions are protected & safe from hackers. These rules apply to every business that processes, stores, or transmits credit card information over the internet. It was developed in 2004 by a group of payment card issuers (American Express, Visa, Discover, JCB, and MasterCard) to reduce risks related to Payment card fraud and hacking.

Why do we need to complete an SAQ?

It’s the best way to make sure you don’t miss any business security requirements. Additionally, merchant banks & payment gateways do not want to work with insecure companies so they require each merchant to provide a PCI SAQ to prove the security of payment.

What is the right SAQ for me?

There are 9 different types of SAQ “Self-Assessment Questionnaire” that a merchant can choose from. How credit card and cardholder data is handled determines which SAQ the business needs.

  • SAQ A is for e-commerce/mail/telephone-order merchants that have fully outsourced all card acceptance functions. No storing, processing, or transmission of any cardholder’s data on the merchant’s systems or premises. The merchant website provides an iframe or URL that redirects the user to a 3rd party to complete the transaction.

 

For this type, the vulnerability scan is NOT required as the merchant can’t impact the security of the payment transaction.

 

  • SAQ A-EP is for e-commerce merchants that use a third-party service provider to handle their card acceptance functions using direct-post OR transparent redirect service method.

 

For this type, the vulnerability scan & penetration test are required as the merchant may impact the security of the payment transaction.

 

  • SAQ B is for merchants that use imprint machines (Analog phone, fax, or stand-alone terminal), and have no electronic storage of cardholder’s data, no transmission, processing, or storing.

 

For this type, the vulnerability scan is NOT required.

 

  • SAQ B-IP is for merchants that use only Internet-based standalone, PTS-approved payment terminals with an IP connection to the payment processor, and have no electronic storage of cardholder’s data.

 

For this type, the vulnerability scan is required as the merchant may impact the security of the payment transaction.

 

  • SAQ C is for any merchant with a payment application connected to the Internet, with no electronic storage of the cardholder’s data. For example:

 

> Virtual terminal (Not C-VT eligible).

 

> IP terminal (Not B-IP eligible).

 

> Mobile device (smartphone/tablet) with a card processing application or swipe device.

 

> View or handle cardholder data via the Internet.

 

> POS with tokenization

 

For this type, the vulnerability scan is required as the merchant may impact the security of the payment transaction.

 

  • SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing no swipe device. No electronic storage of cardholder’s data.

 

For this type, the vulnerability scan is NOT required.

 

  • SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.

 

For this type, the vulnerability scan is NOT required.

 

  • SAQ D is for merchants & e-commerce websites who don’t outsource their card acceptance to a 3rd party and don’t use a direct post or transparent redirect service method. Merchants may store credit card data electronically (i.e. email, e-fax, recorded calls, … etc.)

 

For this type, the vulnerability scan & penetration test are required as the merchant may impact the security of the payment transaction.

 

  • SAQ D-SP is for Service Providers who are directly involved in the processing, storage, or transmission of cardholder data on behalf of another business and are considered eligible to complete an SAQ. For example, a service provider that hosts e-commerce websites or provides managed services that interact with the flow of e-commerce data.

 

For this type, the vulnerability scan & penetration test are required as the merchant may impact the security of the payment transaction.

How Daam Al Arabia Can Help?

Earning PCI DSS Level 1 Certification

Want to learn more about earning your PCI DSS Level 1 Certification? Contact one of PCI DSS experts today.

We conduct a thorough assessment of your current payment processing systems to identify any gaps or vulnerabilities in relation to PCI DSS Level 1 requirements. This includes reviewing your network architecture, data flow, and existing security measures.

Our team performs comprehensive vulnerability scans to identify potential weaknesses in your systems. These scans help ensure that all areas are secure against known threats and vulnerabilities.

We simulate real-world attacks on your payment systems through rigorous penetration testing. This proactive approach assesses the effectiveness of your security measures and uncovers any exploitable vulnerabilities.

We assist in creating and organizing all necessary compliance documentation required for PCI DSS Level 1. Additionally, we prepare your organization for annual audits, ensuring that all processes are well-documented and ready for review.

Our PCI DSS Level 1 Services

Earn your PCI DSS Level 1 certification and start your path towards secure payment processing. Contact one of our PCI DSS experts today.

Send Us A Message

Quick Contact

Quick Contact

Trusted by some of the biggest companies in the Kingdom

Virgin Megastore logo – official partner of Daam Al-Arabia, optimizing retail performance with data-driven solutions and digital engagement strategies.
Qasar Al Awani logo – official partner of Daam Al-Arabia, optimizing homeware and kitchenware growth with digital solutions.
Al Manea logo – official partner of Daam Al-Arabia, driving business growth with advanced data, security, and digital marketing solutions.
Al Nahdi logo – official partner of Daam Al-Arabia, empowering healthcare and retail success through data-driven strategies and digital solutions.
Paris Gallery logo – official partner of Daam Al-Arabia, driving luxury beauty and fashion growth through digital strategies.
Al Rajhi Takaful logo – official partner of Daam Al-Arabia, enhancing insurance services with data-driven security and digital solutions.