SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What is the PCI DSS Process?

Payment Card Assessments

If you’re a business that handles credit cards and other data related to digital payments, you’ve likely heard of the Payment Card Industry Data Security Standard (PCI DSS), or the set of interrelated controls designed to enable those handling credit cards and related data to protect the information entrusted to them.

But the PCI DSS applies differently depending on your role in the payment ecosystem, and as a PCI DSS Qualified Security Assessor, we’ve walked various types of organizations through their individual processes, which admittedly is always a daunting and thorough one.

To help you understand more about what to expect, let’s take a look at what it means to be PCI DSS compliant, what’s covered in each assessment type, and the basic process each one will follow.

Whether you’re approaching your first go with the standard or you’ve already gotten your feet wet, the following will help you establish a more complete understanding of these details.

Determining Your PCI DSS Compliance Requirements

 

What you’ll need to do to achieve PCI compliance depends on a combination of factors:

  1. Are You a Merchant or a Service Provider?
    • Merchants: Those receiving revenue through payments rendered or processed on a card payment network.
    • Service Providers: Generally everyone else—those who facilitate the processing of payment card transactions either directly or indirectly in a way that impacts the security of cardholder data, e.g., payment system manufacturers, online payment gateways, institutions that issue credit cards, system-hosting providers, and many others.
  1. How Do You Receive Payments? (for merchants only)
    • Physical cards generally present more sensitive cardholder information than is given over the phone or online.
    • Are payments received through direct interaction with a physical card (card-present transactions) or are they processed using card data without the need for physical card interaction (card-not-present transactions)?
    • Further distinctions for merchants are made based on whether you store cardholder data, and the specific payment technologies involved.
  1. How Many Transactions Are You Processing? Because the more transactions, the greater the risk.
    • Merchants are assigned to Levels 1 through Level 4—Level 1 represents the highest volume organizations, and Level 4 those with the lowest volumes, and the higher your level, the more stringent your required controls.
    • Service providers are assigned to either Level 1 or Level 2—to make the former, you must meet the threshold of 300,000 transactions.

For those merchants and service providers at Level 1, you’re required to engage a QSA firm to conduct an assessment and attest to your compliance status, while those at other levels can usually self-assess.

Note: Other entities, such as an issuing bank or acquirer, might still require an attested assessment by a QSA firm even if you’re processing fewer transactions.

 

After answering these three questions, most organizations will fall into a single category for PCI DSS compliance.

However, it’s not uncommon for those receiving payments via multiple channels—in person and online—or playing multiple roles as a service provider—merchant ISP and acquirer—to complete more than one assessment to cover all of their payment channels or roles. (This is especially true where the personnel or systems for these payment channels or roles are distinct or hosted in disparate environments, such as different data centers, or managed by separate groups.)

Which PCI DSS Self-Assessment Type is Right for You?

 

Now that you understand how to determine what kind of assessment you’ll need—self-assessment or QSA-conducted—the next step is deciding what kind of self-assessment or external assessment you’ll need, as there are distinct, more specific types.

Since the majority of organizations are eligible to complete Self-Assessment Questionnaires (SAQs), let’s start there—there are seven that apply exclusively to merchants and one (SAQ-D) that can apply to either merchants that don’t fit the criteria for one or more of the first seven or service providers who match the criteria defined by the payment brands.

SAQ Type

Purpose

High-Level Criteria

SAQ-A

For merchants whose operations are completely outsourced to PCI DSS-validated third-party service providers. No cardholder data handling of any kind is permitted, including in-person handling.

  • Merchant
  • Card-not-present
  • Levels 2 - 4
  • Phone orders
  •  e-Commerce

SAQ-A-EP

Same as SAQ-A, but for merchants with a web presence that deal directly with cardholder data but can still affect the security of the payment transaction.

For more details on SAQ-A vs. SAQ-EP, click here.

  • Merchant
  • Card-not-present
  • Levels 2 - 4
  • Phone orders
  • e-Commerce ONLY

SAQ-B

For merchants using manual card imprint machines and phone line dial-up terminals. No data storage is allowed.

  • Merchant
  • Card-present
  • Levels 2 - 4
  • NO e-Commerce

SAQ-B-IP

Same as SAQ-B, but for merchants using approved terminals that connect to payment processors over an IP network connection.

  • Merchant
  • Card-present
  • Levels 2 - 4
  • NO e-Commerce

SAQ-C

Merchants with payment application systems that are connected to the internet.

  • Merchant
  • Card-present
  • Card-not-present
  • Levels 2 - 4
  • NO e-Commerce

SAQ-C-VT

Merchants entering individual transactions using a keyboard into a virtual (internet) terminal.

*The terminal system must be hosted by a validated third-party service provider.

  • Merchant
  • Card-present
  • Card-not-present
  • Levels 2 - 4
  • Single-entry only
  • NO e-Commerce

P2PE-HW

Merchants using only P2PE hardware payment terminals that are part of a P2PE-managed solution that is listed on the PCI SSC website.

  • Merchant
  • Card-present
  • Card-not-present
  • Levels 2 - 4
  • P2PE terminals
  • NO e-Commerce

SAQ-D

(Merchant)

All merchants not fitting into one or more of the other SAQ types, or those that are required by an issuer, acquirer, or card brand to use SAQ-D.

  • Merchant
  • Level 1
  • Levels 2 - 4, if required by an upstream entity.

SAQ-D

(Service Providers)

Service providers defined by a payment brand as being eligible to complete an SAQ.

  • Service provider
  • Level 2, and eligible according to payment brand criteria for service providers

 If you meet the criteria for these, you can complete your chosen SAQ yourself—that can seem daunting, especially the first time around, but the PCI SSC website provides excellent guidance that will go a long way in helping to understand requirements.

However, Level 2 service providers and Level 2 to Level 4 merchants may also opt to use a QSA firm—like Schellman—to assist in completing your SAQ, as well as to interpret the requirements and understand your options for compliance.

When Do You Need a QSA Firm for PCI DSS Compliance?

 

But if you’re a Level 1 service provider or merchant, you’re required to engage a QSA firm to perform an independent assessment of your security controls, policies, and procedures. Once your controls are validated against the standard and shown to meet the requirements, your QSA firm will issue a Report On Compliance (ROC) that can be used to demonstrate PCI DSS compliance to your acquiring bank and other stakeholders.

QSA firms can also provide guidance and recommendations to help you improve your security posture, implement controls effectively, and mitigate risks associated with the handling of credit card information through training and education.

The Core PCI DSS Compliance Process

 

Though the process of attaining compliance with the PCI DSS varies in important ways depending on the criteria and directions discussed above, there are also four core activities that they all have in common, regardless of whether an organization is self-assessed or working with a QSA:

1. Determine the Environment and Scope

 

To understand and document the processes, systems, and personnel involved in handling cardholder data, or helping to secure cardholder data, you’ll need an inventory of your network devices, software, servers, and workstations.

Diagrams of the network boundaries, connections, and the components they protect should be reviewed or created, and any segmentation that is or can be used to reduce the overall scope should be identified, along with any necessary internal or external scanning. Finally, roles for personnel who handle cardholder data—or that impact the security of cardholder data—should be documented.

2. Evaluate the Readiness to Assess

 

With the PCI DSS as a guideline, you’ll compare your systems and operations against the standard’s high-level requirements, documenting any gaps. Depending on the maturity of your security and the complexity of the operation, this step can be time-consuming, but having a good understanding of the gaps is important to ensure ultimate success in achieving compliance.

3. Remediate Any Gaps Identified

 

Once your overall preparedness to meet the standard is understood, it’s time to close any identified gaps, and the actions taken to remediate any deficiencies should be documented. At this juncture, you’ll also need to conduct certain services such as external scanning by an independent Approved Scanning Vendor (ASV).

It can be helpful during this phase to keep in mind that sometimes the best path to compliance runs through a PCI DSS-compliant third-party service provider that can provide hosting, physical or systems security management—even end-to-end outsourcing for the cardholder data handling.

4. Conduct the PCI DSS Assessment

 

Once you’re reasonably confident that you’re meeting the requirements, evidence is gathered and retained for each of the requirements, testing is conducted as defined in the PCI DSS, and the relevant reporting template is completed. You can then distribute these deliverables to relevant stakeholders.

If a QSA firm is involved, they may attest to the validity of the testing, the testing results, and the suitability of the documentation.

Next Steps for Your PCI DSS Compliance

PCI DSS compliance can be complex, but that’s no surprise given the sensitivity of payment card data. But knowing which of the many available avenues to compliance can help, and in that, you now have a solid foundation for making your organizationally specific direction.

No matter which route you go, remember that a QSA firm can provide valuable input regardless of if you’re self-assessing or not, which can greatly ease the burden on your staff and reduce the time to achieve compliance. In that, you may feel like Schellman could be the right fit for you—if that’s the case, please contact us so that you can further evaluate our team and approach.

In the meantime, simplify your transition to the new PCI DSS v4.0 by reading our breakdowns of the different new aspects affecting compliance:

 

About Ken Van Allen

Ken Van Allen is a Senior Associate at Schellman. A collaborative leader with 23 years of experience in elevating the trust and confidence of clients in their technology solutions, Ken previously served insurance, banking, and payment network clients in North and South America and advised them regarding rebuilding their Information Security programs. As a trusted advisor serving alongside business and technology executives from middle management to boards of directors, Ken is passionate about developing people, processes, and programs that secure the confidentiality, integrity, and availability of mission-critical information. At Schellman, he is focused on PCI assessments.