The payment card industry updated to new requirements in 2014 making compliance more involved – but the changes fine tune your category. Though it may complicate things for some people, particularly those who have been in the SAQ A category, it is a positive step in keeping us all safe from credit card fraud.
In May, they updated a clarifying document called Understanding SAQs PCI DSS v3. This is particularly helpful for those in the SAQ A/SAQ A-EP categories.
What follows are the tables and text pertaining to PCI Compliance, Merchant Tiers and some clarifying information from Understanding SAQs PCI DSS v3.
PCI SAQ – FORMS AND VALIDATION TYPES
If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually with a Self Assessment Questionnaire.
|SAQ Validation Type||Description||# of Questions v3.0||ASV Scan Required v3.0||Penetration Test Required|
|A||Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage||14||No||No|
|A-EP||E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage||139||Yes||Yes|
|B||Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage||41||No||No|
|B-IP||Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage||83||Yes||No|
|C||Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage||139||Yes||Yes|
|C-VT||Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage||73||No||No|
|D-MER||All other SAQ-eligible merchants||326||Yes||Yes|
|D-SP||SAQ-eligible service providers||347||Yes||Yes|
|P2PE||Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage||35||No||No|
The following is excerpted from Understanding SAQs PCI DSS v3 by pcisecuritystandards.org.
What types of e-commerce implementations are eligible for SAQ A-EP vs. SAQ A?
To be eligible for SAQ A, e-commerce merchants must meet all eligibility criteria detailed in SAQ A, including that there are no programs or application code that capture payment information on the merchant website. Examples of e-commerce implementations addressed by SAQ A include:
- Merchant has no access to their website, and the website is entirely hosted and managed by a compliant third-party payment processor
- Merchant website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process.
- Merchant website contains a URL link redirecting users from merchant website to a PCI DSS compliant third-party processor facilitating the payment process.
If any element of a payment page delivered to consumers’ browsers originates from the merchant’s website, SAQ A does not apply; however, SAQ A-EP may be applicable. Examples of e-commerce implementations addressed by SAQ A-EP include:
- Merchant website creates the payment form, and the payment data is delivered directly to the payment processor (often referred to as “Direct Post”).
All merchants will fall into one of the four merchant levels. The merchant level determines the method of compliance validation that is required by the card associations.
For full details go to: https://www.pcisecuritystandards.org