PCI Compliance for 2014Monterey Bay Design

PCI Compliance for 2014 1

The payment card industry updated to new requirements in 2014 making compliance more involved – but the  changes fine tune your category. Though it may complicate things for some people, particularly those  who have been in the SAQ A category, it is a positive step in keeping us all safe from credit card fraud.

In May, they updated a clarifying document called Understanding SAQs PCI DSS v3. This is particularly helpful for those in the SAQ A/SAQ A-EP categories.

What follows are  the tables and text pertaining to PCI Compliance, Merchant Tiers and some clarifying information from Understanding SAQs PCI DSS v3.

PCI SAQ – FORMS AND VALIDATION TYPES

If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually with a Self Assessment Questionnaire.

SAQ Validation TypeDescription# of Questions v3.0ASV Scan Required v3.0Penetration Test Required
V3.0
ACard-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage14NoNo
A-EPE-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage139YesYes
BMerchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage41NoNo
B-IPMerchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage83YesNo
CMerchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage139YesYes
C-VTMerchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage73NoNo
D-MERAll other SAQ-eligible merchants326YesYes
D-SPSAQ-eligible service providers347YesYes
P2PEHardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage35NoNo

The following is excerpted from Understanding SAQs PCI DSS v3 by pcisecuritystandards.org.

What types of e-commerce implementations are eligible for SAQ A-EP vs. SAQ A?

To be eligible for SAQ A, e-commerce merchants must meet all eligibility criteria detailed in SAQ A, including that there are no programs or application code that capture payment information on the merchant website. Examples of e-commerce implementations addressed by SAQ A include:

  • Merchant has no access to their website, and the website is entirely hosted and managed by a compliant third-party payment processor
  • Merchant website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process.
  • Merchant website contains a URL link redirecting users from merchant website to a PCI DSS compliant third-party processor facilitating the payment process.

If any element of a payment page delivered to consumers’ browsers originates from the merchant’s website, SAQ A does not apply; however, SAQ A-EP may be applicable. Examples of e-commerce implementations addressed by SAQ A-EP include:

  • Merchant website creates the payment form, and the payment data is delivered directly to the payment processor (often referred to as “Direct Post”).
  • Merchant website loads or delivers script that runs in consumers’ browsers (for example, JavaScript) and provides functionality that supports creation of the payment page and/or how the data is transmitted to the payment processor.

MERCHANT LEVELS

All merchants will fall into one of the four merchant levels. The merchant level determines the method of compliance validation that is required by the card associations.

Merchant LevelDescription
1
  • Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year in one card brand
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant that any card association determines to be a Level 1
2
  • Any merchant, regardless of acceptance channel, processing 1 to 6 million transactions per year in one card brand
3
  • Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year
4
  • Any other merchants, regardless of acceptance channel

For full details go to: https://www.pcisecuritystandards.org

 

One comment on “PCI Compliance for 2014

  1. Reply Maximilian Jan 2,2015 4:05 am

    You post very interesting posts here. Your website deserves
    much more visitors. It can go viral if you give it initial boost, i know useful service that can help you, just search in google:
    svetsern traffic tips

Leave a Reply