The Payment Card Industry Data Security Standard (PCI DSS) is the key standard for assisting merchants in protecting cardholder data. There is a clear path that must be followed by any business that accepts payment cards.
Step 1: Determine Your Reporting Requirements
Merchants are subject to different PCI DSS reporting requirements depending on the number of transactions they process per year.
| Level | Criteria | On-Site Security Audit | Self-Assessment Questionnaire | Network Scan |
4 |
Any merchant processing less than 20,000 transactions per year |
Required Annually |
Required Quarterly** |
|
3 |
Any merchant processing between 20,000 to 1 million transactions per year |
Required Annually |
Required Quarterly** |
|
2 |
Any merchant processing between 1 to 6 million transactions per year |
Required Annually |
Required Quarterly** |
|
1 |
Any merchant processing more than 6 million transactions per year, and any merchant that has suffered a security breach resulting in cardholder data compromise |
Required Annually |
Required Quarterly** |
Step 2: Complete the Appropriate SAQ and Provide to Your Merchant Processor
Self-Assessment Questionnaire (SAQ) is a document that merchants are required to complete every year and submit to their Merchant Account Processor. Completing a Self-Assessment Questionnaire assists you in evaluating your security practices and plan compliance with the required PCI Data Security Standard.
The version that your organization will need to complete depends on how your business handles payment card data - this is called your 'Validation Type'. For most merchants, the appropriate questionnaire is short and simple, while for a few it is long and technical.