XenonStack Recommends

Service Design

PCI DSS: Compliance , Certification & Requirements

Navdeep Singh Gill | 17 November 2019

PCI DSS: Compliance , Certification & Requirements

What is PCI DSS?

The PCI SSC (Payment Card Industry Security Standard Council) is a governing organization and open global firm responsible for developing, managing, educating, and awareness of the security standards, including PCI DSS and PA DSS. It consists of 5 major payment brands: Visa, Master Card, American Express, Discover, and JCB. The payment card industry data security standard is a set of standards for companies of any size that accepts card payments. Ensuring PCI compliance helps companies keep customers' sensitive personal data secure. For details information about PSI DSS, you may visit their official site.

PCI DSS Compliance 

Level 1: Any merchant that processes over 6 million card transactions annually. Submission of annual Report On Compliance (ROC) by a Qualified Security Assessor (QSA) or an internal auditor – if signed by the company's officer. PCI QSA is a designation conferred by the PCI security standard Council. It is hired to conduct a PCI assessment or advise the organization on achieving compliance. Secure a regular network by an Approved Scanning Vendor (ASV). PCI ASV is a company that has been qualified and officially certified by a PCI security standard council (SSC) to perform an external vulnerability assessment. Complete an attestation of compliance (AOC) 

Level 2: Any merchant that processes 1milion – 6 million card transactions per year. Secures a regular network by ASV. Do an annual self-assessment questionnaire. (SAQ). Complete an association of compliance (AOC) 

Level 3: Any merchant that processes 20,000 – 1 million card transactions annually. Secure a regular network by ASV. Do an annual self-assessment questionnaire. Complete an association of compliance (AOC)

Level 4: Any merchant that processes fewer than 20,000 card transactions per year. Secures a regular network by ASV. Do an annual self-assessment questionnaire. Complete an assertation of compliance (AOC)

PCI DSS Certification

PCI certification assures card data security at your business through a set of conditions established by the PCI SSC. These include several commonly known best practices, such as:

  • Installation of firewalls
  • Encryption of data transmissions
  • Use of antivirus software

PCI DSS Requirements

Maintain a Secure Network 1. Companies should create their firewall configuration policy. 2. Should not use vendor-supplied defaults for system password and security parameters. Protect Cardholder data 3. Transmission of cardholder data across the open, public network is always done in an encrypted manner. 4. Protect the stored cardholder data—vulnerability Management Program 5. Use antivirus software and also ensure that it is regularly updated. 6. Companies should opt for security systems and applications. Implement Access Control Measures 7. Restrict access to cardholder data to a limited number of employees 8. Assign a unique ID to each person who has computer access. 9. Restrict physical access ( provides an opportunity for persons to access or remove devices,  data, systems, etc.) to cardholder data. Regularly Monitor or Test Network 10. To Track and monitor all access to network resources and cardholder data. 11. Security systems and processes need to be regularly tested. Maintain Information Security Policy 12. Companies should maintain a concrete information security policy, including all the acceptable uses of technology, all annual risk analysis processes, and operational security procedures.

Self Assessment Questionaire (SAQ)

SAQ A: ( card-not-present merchants, all cardholder data fully outsourced )

  • The company accepts only card-not-present (e-commerce or mail/telephone order) transactions.
  • All processing of cardholder data is entirely outsourced to PCI DSS-validated third-party service providers.
  • The company doesn't electronically stores, process, or transmit any cardholder data on the system or premises but relies entirely on the third party to handle all these functions.
  • The company must confirm that third-party handling storage, processing, and other transmissions of cardholder data are PCI DSS compliant. The cardholder data that the company retains is on paper (e.g., reports, receipts, etc.)
  • This SAQ would not apply to face-to-face channels.

SAQ EP: ( partially outsourced e-commerce merchants, using a third-party website for payment processing)

  • The company accepts only e-commerce transactions.
  • SAQ EP merchants are e-commerce merchants who partially outsource their payment channels to a PCI DSS-validated third party.
  • All processing of cardholder data except the payment page is entirely outsourced to a PCI DSS-validated third-party payment processor.
  • Involves merchants that don't receive cardholder data but control how cardholder data is restricted to a PCI DSS-validated third-party payment processor.
  • The company does not electronically stores, process, or transmit any cardholder data on system premises.
  • Any cardholder data that the company retains is on paper. ( i.e., printed reports and receipts)
  • The company must confirm that third-party handling storage, processing, and other transmissions of cardholder data are PCI DSS compliant.

SAQ B: (merchants with only imprint machines or only standalone, dial-out terminals. No electronic cardholder data storage)

  • The SAQ B should be filled by businesses that only process credit cards via imprint machines or standalone dial-out terminals.
  • Imprint machines are non-electronic, manually operated machines that imprint the face of the credit card. In contrast, the standalone terminal is the electronic point-of-sale device where customers insert their payment cards to pay for goods.
  • The dial-out terminal connects directly to the phone line, i.e., each time the card is processed, the terminal makes the call to the processor and transmits the information.
  • Dial-out terminals are not connected to any computer, network, or internet.
  • The company does not store cardholder data in electronic format.
  • The cardholder data the company retains is on paper.

SAQ B-IP: ( Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) terminals, No Electronic Cardholder Data Storage)

  • This SAQ is for merchants who use standard terminals that connect via IP (not dial-up phone line), i.e., they have ethernet cables that connect to a router or modem, which in turn connect to an internal network or internet service provider.
  • Applicable for brick-and-mortar or mail/telephone order merchants
  • No electronic storage of card data.

SAQ C-VT: ( merchants with web-based virtual terminals, no electronic cardholder data storage)

  • Applicable to the merchants who processed cardholder data only through an isolated virtual payment terminal on a PC connected to an internet
  • The virtual payment terminal is a web-browser-based to an acquirer, processor, or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data through a securely connected web browser.
  • A virtual payment terminal solution is given and hosted by a PCI DSS-validated third-party service provider.
  • Does not store data in electronic format
  • The cardholder data the company retains is on paper.

SAQ C: (Merchants with Payment Application Systems Connected to the internet)

  • No Electronic Cardholder Data Storage
  • Merchants process cardholder data via point of sales (POS) systems that are connected to the internet but don't store any cardholder data.
  • SAQ D: Merchant stored cardholder data, including legacy data
  • Stores card data electronically and do not use the P2PE-certified POS system
  • E-commerce merchants who accept cardholder data on their website
  • Covers all 12 requirements.

How to Get More Information?

To make compliance easier, If you want more extensive information concerning the processing of PCI DSS compliance, you may read our use case based on how we build a "Credit Fraud Detection" analytics platform for a leading bank. We help organizations—from large companies to startups and small and medium enterprises who wish to become PCI DSS compliant can contact us to discuss their requirements. We would be happy to assist you.