How to know your PCI DSS Compliance Level, Requirements and SAQ Type?
Modern-day transactions glimpse a complete shift to card payments over cash. While nearly 50 % of customers opt to store card information for online transactions, businesses should understand that traditional security mechanisms won’t be enough to secure data assets from attacks.
Placing your systems through a compliance audit for the Payment Card Industry Data Security Standard (PCI DSS) helps extract the current state of security controls in place. PCI compliance testing services let you identify and fix weak controls that help protect critical information, including credit card customer details.
Prior to heading with PCI DSS compliance consultants, it is better to know the compliance levels and types your business falls alongside its requirements. You can see more than 300 security controls and requirements in total. Hence, identifying those requirements that apply to your business is much essential. The blog is a perfect solution to your needs.
Into the 4 Compliance levels of PCI DSS
Let us recall some prominent names of credit card companies – Visa, Master Card, American Express, Discover, JCB, etc. They all implement PCI DSS security standards to ensure that merchants accepting their credit cards operate in a protected and secure environment. And that proves how vital the data security standard stays within the payment card industry.
PCI compliance segregates into four levels based on the annual number of credit or debit card transactions a business conduct. The classification level defines what an enterprise needs to do to stay compliant.
PCI Level 1: Businesses processing over 6 million transactions yearly
PCI Level 2: Businesses processing 1 million to 6 million transactions yearly
PCI Level 3: Businesses processing 20,000 to 1 million transactions yearly
PCI Level 4: Businesses processing less than 20,000 transactions yearly
If you need to be PCI DSS compliant and raise the benefits of being a trustworthy brand, you need to initially check the PCI DSS compliance level you are at the present tick of the clock.
PCI Level 1
If your entity process 6 million card transactions yearly, you need PCI Level 1 compliance. Level 1 directs you to complete the SAQ – Self Assessment Questionnaire and requires an annual report from a qualified security assessor (QSA) or an internal security assessor (ISA). The audit for PCI Level 1 is the strictest of all classifications.
Level 1 compliance also requires entities to perform external vulnerability scan or ASV scan by an approved vendor or a qualified team. They inspect your systems, servers, cloud, and other devices for sensitive information and advise you of potential security issues.
In addition, you should run penetration tests at least once every year. The assessment is to detect potential vulnerabilities existing in your infrastructure. Likewise, you must also submit an AOC – Attestation of Compliance, illustrating sound compliance with applicable PCI DSS requirements.
PCI Level 2
Entities that fall under PCI Level 2 need not perform an onsite PCI Audit. However, you need to complete a Self-Assessment Questionnaire, SAQ. On the inside, there are different SAQ types. And according to the audit scope, the number of questions to respond will also vary.
However, certain aspects can stretch your Level 2 compliance. If you were a victim of a data breach or if your acquiring bank sees compliance as essential, you might require an onsite audit and an annual report on compliance.
Level 2 compliance requires entities to perform an external vulnerability scan by an approved vendor or a qualified team. Furthermore, annual penetration tests are also an essential requirement, including the completion of the AOC. The service providers will require pen tests to get performed every 6-months.
PCI Level 3
When it comes to Level 3 compliance, you need to complete an SAQ as well as perform quarterly network scans to identify underlying vulnerabilities. Also, the submission of the Attestation of Compliance form goes necessary here as well. For the specific level and below, penetration tests are not mandatory. However, organizations can solely perform the test as a security best practice.
PCI Level 4
And finally, the lowest level of audit set by major credit card companies – is PCI Level 4. Besides the number of transactions every year, if looking for the specific level of compliance, you should not have encountered a data breach. Likewise, there should be no record of being a victim of a cyber-attack that compromised cardholder data.
The validation requirements for PCI Level 4 mark fulfilment of the appropriate SAQ, quarterly vulnerability scans of your network and completion of an AOC. Although satisfying Level 4 requirements may take less work, implementing the required controls and maintaining them can consume a fair amount of time.
The questionnaire will require that you testify that you have the right security procedures, policies and tools in place based on the PCI security standard.
About the Self-Assessment Questionnaire (SAQ)
PCI DSS SAQ Types
Selecting PCI DSS SAQ types leans on how your organization store, process, or transmit payment card data. The PCI Council has made nine self-assessment questionnaires (SAQs) exclusively for payment card transaction channels. Selecting the right PCI SAQ is a critical step while looking for compliance. The PCI Council also provides advice on selecting the appropriate SAQ. However, even with the direction provided, many organizations fail to select the right SAQ. So, let us see what SAQ types are available, the eligibility criteria and the total number of questions enclosed.
PCI DSS SAQ Type, Eligibility, Criteria, and No. of Questions
The validation tool applies to e-commerce/mail/telephone-order merchants who have completely outsourced all cardholder data functions. There is no electronic storage, processing, or communication of cardholder data on the merchant’s systems or premises. There are 24 questions in SAQ A.
The validation tool applies to e-commerce-only merchants that depend on third-party service providers to manage card information and which have a website that processes no credit card information but affects the security of the payment transaction. There is no electronic storage, processing, or transmission of cardholder data on the merchant’s systems or premises. There are 192 questions in SAQ A-EP.
The validation tool applies to merchants that use imprint machines, standalone, and dial-out terminals. They do not transmit, process, or store electronic cardholder data. SAQ B contains 41 questions and is not for e-commerce activities.
The validation tool applies to merchants who use only standalone or PTS-approved payment terminals with an IP connection to the payment processor. They do not store electronic cardholder data. SAQ B-IP contains 87 questions and is not for e-commerce activities.
The validation tool applies to merchants who use a virtual terminal on one computer dedicated only to card processing. They do not store electronic cardholder data. SAQ C-VT contains 161 questions and is not for e-commerce activities.
The validation tool applies to merchants who use a payment application linked to the internet. They do not have electronic cardholder data storage. DAQ C contains 84 questions.
The validation tool applies to merchants who use approved point-to-point encryption (P2PE) devices. They have no electronic cardholder data storage. SAQ P2PE contains 34 questions.
SAQ D for merchants
The validation tool applies to all SAQ-eligible merchants that don’t fall under the criteria for other types. SAQ D devotes to those who do not outsource their credit card processing or use a P2PE solution. They may store credit card data electronically. SAQ D for merchants encloses 328 questions.
SAQ D for Service Providers
The validation tool applies to service providers thought eligible to complete an SAQ. SAQ D for service providers encloses 370 questions.
PCI DSS Requirements
The 12 requirements outlined by PCI SSC for handling cardholder data and maintaining a secure network are as follows: –
Build and Maintain a Secure Network & Systems
1. Install and keep a firewall configuration to safeguard cardholder data
2. Avoid the use of vendor-supplied defaults for system passwords & further security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt cardholder data communication across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware & regularly update antivirus programs/software
6. Develop and uphold secure systems and applications
Enforce Strong Access Control Measures
7. Limit access to cardholder data by businesses need to know
8. Identify and affirm access to system components
9. Restrict physical access to cardholder data
Regularly Monitor & Test Networks
10. Track and scrutinise all network resources & cardholder data access
11. Frequently test security systems & processes
Maintain an Information Security Policy
12. Uphold a policy that manages information security for all personnel
Let ValueMentor – PCI DSS compliance consultants help you!
ValueMentor can help you optimize the process of getting PCI DSS compliant. It can get hard for business owners, but with the right PCI DSS compliance consultants, you can streamline the work and save your time.
Our consultants with immense consulting experience in the payment card division can help you – from building your PCI DSS compliance foundation to helping you maintain a steadfast security program. Hop to our service offerings, talk with our advisory team, and book your customized consultation.
Consult our cyber security specialists
We can help you optimize cyber security. ValueMentor, with a full-fledged PCI DSS Compliance team, is ever-ready to handhold you with a holistic and proactive security approach. Have a concealed security ring around your business, helping you alleviate risks, enhance security and meet compliance with various regulations. Get your customized consultation and security advice.
Book your security evaluation today! Mail Us – firstname.lastname@example.org