It’d be a lie to tell you that Payment Card Industry (PCI) standards are easy to navigate. Between annual Reports on Compliance (ROCs) and Self-Assessment Questionnaires (SAQs), there are many different assessments your organization may need to complete. The ways your organization process payment data, how much payment information you process, the storage methods you employ, and more, all play a part in which kinds of assessments you may need to do.
Here’s a look at the kinds of assessments you might run into and what would require you to take which assessments.
Annual PCI Report on Compliance (ROC) Performed by a Qualified Security Assessor (QSA)
- Service providers that process more than 300,000 VISA or Mastercard transactions annually
- Level 1 merchants
- Companies that sell products to cardholders and process more than 6 million transactions annually
Self-Assessment Questionnaire (SAQ) SAQ-D-Service Provider
- Any service providers (third party vendors) that can affect the security of cardholder data or store, process or transmit fewer than 300,000 VISA or Mastercard transactions annually
- Basically the “catch-all” of PCI assessments, SAQ-Ds are used:
- by level 2-4 merchants who enter cardholder data manually into a point of sale system that is not on a segmented network.
- if you store cardholder data at all electronically as a level 2-4 merchant.
- If you take payment by mail or phone or you store images of the mail or store the recorded phone content, and you don’t have a process to ensure data is not captured in the recording
- by level 2-4 merchants who have a flat network and enter credit card data into a website using keyboards when payment cards do not work or when answering phone or mail
- If you process payments through an internet- or network-connected POI device, and that device or computer is not completely segmented from other systems on the network.
- If you’re a level 2-4 merchant using POI devices all listed as P2PE validated solutions, and payment cards are swiped, dipped, or inserted into the device, SAQ-P2PE may be appropriate.
- If your POI devices are not P2PE validated and they’re connected through a phone, SAQ-B requirements may suffice.
- If the POI devices are not P2PE validated and are connected through a completely segmented network, your solution aligns with the requirements in SAQ-B-IP.
- If a level 2-4 merchant takes payment over phone or through the mail and inputs the card data through a device connected to a Point of Sale (POS) application on a completely segmented computer, then an SAQ-C may suffice.
- If a level 2-4 merchant takes payment over phone or through the mail and inputs the card data on a website using the browser on computer that is completely segmented from the network, then the solution aligns with SAQ-C-VT.
- For level 2-4 merchants who accept cardholder data online and use an iframe from PayPal or another PCI validated third-party processing site, or redirect to a validated gateway like PayPal for their payment page, SAQ-A may be used.
- If your website is not hosted by a PCI validated third-party hosting provider, and you don’t use an iframe from or redirect to a validated gateway like PayPal to take cardholder data online, you’ll be required to complete an SAQ-A-EP.
This is not a fool-proof system. It is, however, light guidance to help get you and other organizations moving in the right direction. If you’d like to do a deeper dive into which assessments your organization will need to complete and how you can improve your payment card security in general, consult a security expert like FRSecure, check with your bank, or review the PCI Security Standards Council website for official documents.