Does PCI DSS Apply to me?
What are the 12 requirements of PCI?
- Protect your system with firewalls
- Configure passwords and settings
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Regularly update and patch systems
- Restrict access to cardholder data to business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to workplace and cardholder data
- Implement logging and log management
- Conduct vulnerability scans and penetration tests
- Documentation and risk assessments
Compliance Levels
- Level 1 — over 6 million of Visa or Mastercard transactions per year or 2.5 million transactions of American Express per year. This PCI DSS level can also be applied to companies that experienced a security breach before. Each year a Qualified Security Assessor or a certified internal employee conducts an audit and writes an Annual Report on Compliance according to this template. Besides, an approved company conducts a quarterly network scan to detect vulnerabilities.
- Level 2 — between 1 and 6 million transactions per year. This level of compliance obliges companies to conduct an annual PCI DSS assessment and fill in the questionnaire. Annual ASV scanning is also required.
- Level 3 — between 20,000 and 1 million transactions per year. The overall requirements are similar to those for level 2.
- Level 4 — under 20,000 transactions. The overall requirements are similar to those for levels 2 and 3.
What gets submitted and to whom?
Most businesses begin their PCI Compliance journey when they are asked to submit documentation of PCI compliance to their merchant bank or to a verifier. Maybe something like this template.
What is submitted typically depends on the classification of your clients’ businesses and how they take and process credit cards. Most businesses will only need to submit a Self-Assessment Questionnaire (SAQ), an Attestation of Compliance (AoC), and evidence of passing quarterly external vulnerability scans performed by an Approved Scan Vendor (ASV). None of these requirements are intuitive for an untrained person, but all can be easily provided by a competent MSP.
Some larger vendors—or those working with a Qualified Security Assessor (QSA) —will also have to submit evidence that they have performed quarterly internal vulnerability scans and have remediated high-risk vulnerabilities. This is often accompanied by rescans as proof that all of the identified high-risk vulnerabilities have been addressed.
Initial SAQ Submission
To prepare for the initial submission, you will need to gather the appropriate Self-Assessment Questionnaire to complete. Typically, your merchant bank will indicate which form you need to complete. These are typically formulated in questions that require affirmative answers to confirm compliance.
There are negative ramifications to ignoring PCI compliance. If you experience a breach, the mandatory post-breach investigation will likely uncover the lies, exposing you to much greater fines and potential lawsuits.
Rather than relying on a cumbersome and unwieldy paper questionnaire, LSMG has PCI Compliance tools that can automatically identify issues and address them through network discovery tools. These tools will automatically produce an Evidence of Compliance document, along with a corresponding Risk Assessment, providing the facts to help answer the SAQ and provide documentation to demonstrate the responses were made in a fact-based manner.
PCI requires addressing identified issues or documenting compensating controls. The process you should follow to complete the SAQ should follow the flow below:
Initial ASV Scan Submission
Most PCI compliance submissions will require you submit an Authorized Scan Vendor (ASV) scan with an accompanying Attestation of Compliance. In order to obtain your Attestation, the results of your scan must not include any issues of medium severity or higher (CVSS score 4.0- 10). If such issues are revealed by your scan, you must remediate those issues and continue to run additional scans and remediate until you have a passing scan.
The ASV scan must be performed by one of a handful of Approved Scan Vendors, and the cost of the service can range widely, from a few hundred to thousands of dollars. If you use the LSMG, we have option to schedule and run ASV scans provided by our scan partner. When your scan passes, the fee you pay includes the required Attestation of Compliance. If it does not pass, you can perform the necessary remediation and rescan the same network as many times as needed at no additional cost until it passes.
Typically, quarterly scans are required to maintain PCI compliance.
Before any ASV scans are scheduled, LSMG will provide network scans to detect any issues proactively to help mitigate any ASV scans from failing. This is not always the case, but can make the process smoother and much more efficient.
Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:
- SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
- SAQ A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
- SAQ B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data transmission, processing, or storage. Not for e-commerce environments.
- SAQ B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce environments.
- SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce environments.

- SAQ C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
- SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
- SAQ D for Merchants is for merchants that do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.
- SAQ D for Service Providers is for service providers deemed eligible to complete an SAQ.
This table gives more detail about each of the PCI DSS 3.2.1 SAQ types:
Reference Links
https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf
https://www.pcisecuritystandards.org/document_library