PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) is a security standard developed by the major Card Brands (Visa, MasterCard, Discover, American Express) to help merchants protect credit card holder data.  PCI Compliance is required of all merchants that accept, process, transmit, or store payment cards.  These requirements vary depending on the size and processing method of your business. 

Ideal for small to midsized businesses that are not required to submit a report on compliance, a Self-Assessment Questionnaire (SAQ) is used as a self-validation tool to assess security for cardholder data.  The Self-Assessment Questionnaire includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement.  Answering yes to each question means that you believe that you meet the PCI Data Security Standard. 

There are different questionnaires available for different merchant environments including:

SAQ - A


Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.




SAQ - A-EP


E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.




SAQ - B


Merchants using only:

  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.




SAQ - B-IP


Merchants using only standalone, PTS-approved payment terminals with an IP (internet) connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.




SAQ - C-VT


Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.




SAQ - C


Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.




SAQ - P2PE


Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.




SAQ - D


All merchants not included in descriptions for the above types.





In order to help achieve compliance with the security standard, Payment Management has developed business relationships with some of the leading Approved Scanning Vendors (ASV) of the PCI Council so that we can provide you with the necessary tools to become PCI Compliant.

Additional Merchant Resources about PCI Compliance can be found at https://www.pcisecuritystandards.org/merchants/

 

We are here to answer any additional questions you may have about PCI Compliance. Please contact us or request a free analysis of your processing statement.