Menu
PCI DSS Audit Review
What is PCI DSS?
PCI DSS is the Payment Card Industry Data Security Standard. PCI DSS is an information security standard for organizations that handle credit cards.
The PCI Standard is a requirement mandated by each of the major card brands (VISA, MasterCard, American Express, Discover, JCB) and administered by the Payment Card Industry Security Standards Council.
The PCI Standard was created to increase controls around cardholder data to reduce credit card fraud.
Is your business prepared to complete the Self-Assessment Questionnaire?
As you can see from the table below, there is not a one size fits all model with PCI DSS compliance. Contact us today at 813-461-4763 for a FREE PCI DSS Audit Review!
| SAQ | Description | Number of Questions | Vulnerability Scan Required |
Penetration Testing Required |
|---|---|---|---|---|
| A | Card-not-present merchants (e-commerce or mail/telephone-order), that have fully
outsourced all cardholder data functions to PCI DSS compliant third-party service
providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. |
22 | No | No |
| A-EP | E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises. Applicable only to e-commerce channels. |
191 | Yes | Yes |
| B | Merchants using only: ▪ Imprint machines with no electronic cardholder data storage, and/or ▪ Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. |
41 | No | No |
| B-IP | Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e-commerce channels. |
82 | Yes | No |
| C-VT | Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. |
79 | No | No |
| C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. |
160 | Yes | No |
| P2PE | Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage. Not applicable to e-commerce channel. |
33 | No | No |
| D | SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ. |
329 | Yes | Yes |