PCI Compliance for 2014Monterey Bay Design

PCI Compliance for 2014 1

The payment card industry updated to new requirements in 2014 making compliance more involved – but the  changes fine tune your category. Though it may complicate things for some people, particularly those  who have been in the SAQ A category, it is a positive step in keeping us all safe from credit card fraud.

In May, they updated a clarifying document called Understanding SAQs PCI DSS v3. This is particularly helpful for those in the SAQ A/SAQ A-EP categories.

What follows are  the tables and text pertaining to PCI Compliance, Merchant Tiers and some clarifying information from Understanding SAQs PCI DSS v3.

PCI SAQ – FORMS AND VALIDATION TYPES

If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually with a Self Assessment Questionnaire.

SAQ Validation Type Description # of Questions v3.0 ASV Scan Required v3.0 Penetration Test Required
V3.0
A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 14 No No
A-EP E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage 139 Yes Yes
B Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage 41 No No
B-IP Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage 83 Yes No
C Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage 139 Yes Yes
C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 No No
D-MER All other SAQ-eligible merchants 326 Yes Yes
D-SP SAQ-eligible service providers 347 Yes Yes
P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35 No No

The following is excerpted from Understanding SAQs PCI DSS v3 by pcisecuritystandards.org.

What types of e-commerce implementations are eligible for SAQ A-EP vs. SAQ A?

To be eligible for SAQ A, e-commerce merchants must meet all eligibility criteria detailed in SAQ A, including that there are no programs or application code that capture payment information on the merchant website. Examples of e-commerce implementations addressed by SAQ A include:

  • Merchant has no access to their website, and the website is entirely hosted and managed by a compliant third-party payment processor
  • Merchant website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process.
  • Merchant website contains a URL link redirecting users from merchant website to a PCI DSS compliant third-party processor facilitating the payment process.

If any element of a payment page delivered to consumers’ browsers originates from the merchant’s website, SAQ A does not apply; however, SAQ A-EP may be applicable. Examples of e-commerce implementations addressed by SAQ A-EP include:

  • Merchant website creates the payment form, and the payment data is delivered directly to the payment processor (often referred to as “Direct Post”).
  • Merchant website loads or delivers script that runs in consumers’ browsers (for example, JavaScript) and provides functionality that supports creation of the payment page and/or how the data is transmitted to the payment processor.

MERCHANT LEVELS

All merchants will fall into one of the four merchant levels. The merchant level determines the method of compliance validation that is required by the card associations.

Merchant Level Description
1
  • Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year in one card brand
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant that any card association determines to be a Level 1
2
  • Any merchant, regardless of acceptance channel, processing 1 to 6 million transactions per year in one card brand
3
  • Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year
4
  • Any other merchants, regardless of acceptance channel

For full details go to: https://www.pcisecuritystandards.org

 

One comment on “PCI Compliance for 2014

  1. Reply Maximilian Jan 2,2015 4:05 am

    You post very interesting posts here. Your website deserves
    much more visitors. It can go viral if you give it initial boost, i know useful service that can help you, just search in google:
    svetsern traffic tips

Leave a Reply to Maximilian Cancel Reply