When it comes to PCI validation, the vast majority of merchants fall into the self-assessment category. The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and level two service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the self-assessment to meet various scenarios.
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website that does not directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
Remember knuckle-busters? They are still around. Merchants using only (a) imprint machines with no electronic cardholder data storage; and/or, (b) standalone, dial-out terminals with no electronic cardholder data storage.
Merchants using standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage.
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
About 75% of all merchants will fall into this category. Merchants with payment application systems connected to the Internet with no electronic cardholder data storage.
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
It starts to get tricky here, many merchants in this category store cardholder data, a risky thing indeed. All other merchants not included in descriptions for SAQ types A through C, and all service providers defined by a payment brand as eligible to complete an SAQ.
SAQs and ROCs
Merchants and service providers are responsible for the security of cardholder data that is stored, processed, or transmitted within their environment. The PCI DSS standards apply wherever credit card numbers are present. PCI DSS v3.2 has over 400 control objectives that must be followed. The extent by which you validate compliance is determined by merchant level (1-4), service provider level (1-2), and compliance validation type (SAQ or ROC).