PCI DSS. Where to start?

TL;DR

• Determine your role: Merchant or service provider
• Determine your level and requirements
• Identify your validation method: SAQ or RoC
• Use the PCI website

Introduction

The Payment Card Industry Data Security Standard, or PCI DSS, outlines essential requirements for protecting both you and your customers when taking payment transactions.

These are essential standards across the industry and every organisation that takes card payments must start somewhere on their PCI SS compliance journey, whether this is mandated by an acquiring bank, or the organisation just seeks to attest their commitment to keeping customers card details safe.

We often see customers come to us with the same question: Where do I start? I’ve written this post to help you on your journey to compliance, which involves these key steps:

Determine your role: Merchant or service provider

Merchant Definition: An entity that accepts payment cards bearing the logos of any PCI SSC Participating Payment Brand as payment for goods and/or services.

Service Provider Definition: A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity. This includes payment gateways, payment service providers (PSPs), and independent sales organisations (ISOs). Both: Some organisations may function as both a merchant and a service provider, depending on their operations.

Determine your merchant level and requirements

PCI DSS merchant levels categorise merchants based on the number of transactions processed annually. This helps define the necessary compliance verification steps. Below is an example based on MasterCard standards (similar criteria apply to other payment brands such as American Express).

For additional details, please refer to the PCI DSS Merchant Compliance Levels provided by MasterCard and American Express:

• PCI DSS Merchant Compliance Levels | MasterCard
• PCI DSS Merchant Compliance Levels | American Express

Service provider levels: Service providers are categorized based on the volume of transactions they process and their potential impact on cardholder data security.

• PCI DSS Service Provider Levels | Mastercard

Identify your validation method: SAQ or RoC

Now you know what level you fall under and have identified what assessment you need to undertake here is a brief overview of what these assessments look like:

Self-Assessment Questionnaire (SAQ)

A series of yes or no questions that include all 12 requirements, requiring you to attest that your organisation meets PCI DSS standards. This can be completed by your organisation or reviewed by a Qualified Security Assessor (QSA) to determine compliance status. Not every company is subject to all 12 requirements. Requirements are based on your payment channels and how you ingest card data from your customers.

Report on Compliance (RoC)

A detailed document compiled by a qualified auditor following a thorough review of an organisation’s Cardholder Data Environment (CDE).  – Requirements are based on scoping exercises that establish which controls are applicable to the organisation and its methods of taking payments.

Select the appropriate SAQ

There are multiple types of SAQs, each tailored to different business scenarios.

Choosing the right SAQ depends on factors such as how your organisation processes payments, whether you store cardholder data, and the methods used for processing transactions.

Conclusion: Use the PCI website

The PCI website has some super handy tips and guidance documents to help you understand PCI. We’ve linked resources below:

• PCI Security Standards Council – Merchant Resources
• PCI DSS – Quick Reference Guide -v4_0.pdf
• PCI DSS v4.0 Resource Hub
• At a Glance: PCI DSS v4.0
• PCI Security Standards Council – Document Library
• PCI Security Standards Council – FAQs