Definition

PCI DSS (Payment Card Industry Data Security Standard) is a set of rules that ensure online credit card transactions are protected & safe from hackers. These rules apply to every business that processes, stores, or transmits credit card information over the internet. It was developed in 2004 by a group of payment card issuers (American Express, Visa, Discover, JCB, and MasterCard) to reduce risks related to Payment card fraud and hacking.

It’s the best way to make sure you don’t miss any business security requirements. Additionally, merchant banks & payment gateways do not want to work with insecure companies so they require each merchant to provide a PCI SAQ to prove the security of payment.

There are 9 different types of SAQ “Self-Assessment Questionnaire” that a merchant can choose from. How credit card and cardholder data is handled determines which SAQ the business needs.

• SAQ A is for e-commerce/mail/telephone-order merchants that have fully outsourced all card acceptance functions. No storing, processing, or transmission of any cardholder’s data on the merchant’s systems or premises. The merchant website provides an iframe or URL that redirects the user to a 3rd party to complete the transaction.

For this type, the vulnerability scan is NOT required as the merchant can’t impact the security of the payment transaction.

• SAQ A-EP is for e-commerce merchants that use a third-party service provider to handle their card acceptance functions using direct-post OR transparent redirect service method.

For this type, the vulnerability scan & penetration test are required as the merchant may impact the security of the payment transaction.

• SAQ B is for merchants that use imprint machines (Analog phone, fax, or stand-alone terminal), and have no electronic storage of cardholder’s data, no transmission, processing, or storing.

For this type, the vulnerability scan is NOT required.

• SAQ B-IP is for merchants that use only Internet-based standalone, PTS-approved payment terminals with an IP connection to the payment processor, and have no electronic storage of cardholder’s data.

For this type, the vulnerability scan is required as the merchant may impact the security of the payment transaction.

• SAQ C is for any merchant with a payment application connected to the Internet, with no electronic storage of the cardholder’s data. For example:

> Virtual terminal (Not C-VT eligible).

> IP terminal (Not B-IP eligible).

> Mobile device (smartphone/tablet) with a card processing application or swipe device.

> View or handle cardholder data via the Internet.

> POS with tokenization

For this type, the vulnerability scan is required as the merchant may impact the security of the payment transaction.

• SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing no swipe device. No electronic storage of cardholder’s data.

For this type, the vulnerability scan is NOT required.

• SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.

For this type, the vulnerability scan is NOT required.

• SAQ D is for merchants & e-commerce websites who don’t outsource their card acceptance to a 3rd party and don’t use a direct post or transparent redirect service method. Merchants may store credit card data electronically (i.e. email, e-fax, recorded calls, … etc.)

For this type, the vulnerability scan & penetration test are required as the merchant may impact the security of the payment transaction.

• SAQ D-SP is for Service Providers who are directly involved in the processing, storage, or transmission of cardholder data on behalf of another business and are considered eligible to complete an SAQ. For example, a service provider that hosts e-commerce websites or provides managed services that interact with the flow of e-commerce data.

For this type, the vulnerability scan & penetration test are required as the merchant may impact the security of the payment transaction.