Businesses with fewer than 6 million Visa or Master Card transactions per year, you may be able to reduce your PCI requirements -- especially if you don't store credit card numbers.
FULL PCI
When is it required?:
- Over 6 million Visa or Mastercard transactions/year
or
Requirements:
- All PCI-DSS Requirements
- Report on Compliance
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Quarterly vulnerability scans from an approved scanning vendor*
- Multi-Factor Authentication*
- Basic computer security security
- Basic access management
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Annual penetration testing.*
- Firewall and other network security requirements*
- Encrypted connections inside and outside of the company*
- Provide PCI training to staff*
Lavawall™ significantly reduces the PCI scope and implements requirements marked with an *.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ D
(Service Providers)
Who can use it?:
All service providers with under 6 million Visa or Master Card transactions that cannot otherwise reduce their PCI compliance requirements.
Requirements:
348 requirements, including:
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Quarterly vulnerability scans from an approved scanning vendor*
- Multi-Factor Authentication*
- Basic computer security security
- Basic access management
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Annual penetration testing.*
- Firewall and other network security requirements*
- Encrypted connections inside and outside of the company*
- Provide PCI training to staff*
Lavawall™ significantly reduces the PCI scope and implements requirements marked with an *.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ D
(Merchants)
Who can use it?:
All merchants with under 6 million Visa or Master Card transactions that cannot otherwise reduce their PCI compliance requirements.
Requirements:
331 requirements, including:
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Quarterly vulnerability scans from an approved scanning vendor*
- Multi-Factor Authentication*
- Basic computer security security
- Basic access management
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Annual penetration testing.*
- Firewall and other network security requirements*
- Encrypted connections inside and outside of the company*
- Provide PCI training to staff*
Lavawall™ significantly reduces the PCI scope and implements requirements marked with an *.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ C
Who can use it?:
Merchants with payment application systems connected to the Internet without electronic cardholder data storage.
Although Square does not usually request evidence of PCI compliance until a breach occurs, Square customers seeking evidence of PCI compliance for banks and insurance use SAQ C.
Do not use SAQ C if you only accept payments through ecommerce.
Requirements:
161 requirements, including:
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Quarterly vulnerability scans from an approved scanning vendor*
- Multi-Factor Authentication*
- Basic computer security security
- Basic access management
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Annual penetration testing.*
- Firewall and other network security requirements*
- Encrypted connections inside and outside of the company*
- Provide PCI training to staff*
Lavawall™ significantly reduces the PCI scope and implements requirements marked with an *.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ C-VT
Who can use it?:
Merchants who manually enter a single transaction at a time via a keyboard into an
Internet-based, virtual payment terminal solution that is provided and hosted by a
PCI DSS validated third-party service provider. No electronic cardholder data
storage.
Do not use SAQ C-VT if you accept payments through ecommerce or any other means.
Requirements:
85 requirements, including:
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Quarterly vulnerability scans from an approved scanning vendor*
- Multi-Factor Authentication*
- Basic computer security security
- Basic access management
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Annual penetration testing.*
- Firewall and other network security requirements*
- Encrypted connections inside and outside of the company*
Lavawall™ significantly reduces the PCI scope and implements requirements marked with an *.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ B-IP
Who can use it?:
Merchants using only standalone, PTS-approved payment terminals with an IP
connection to the payment processor with no electronic cardholder data storage.
Do not use SAQ B-IP if you only accept payments through ecommerce.
Requirements:
88 requirements, including:
- Quarterly vulnerability scans from an approved scanning vendor*
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Provide PCI training to staff*
Lavawall™ significantly reduces the PCI scope and implements requirements marked with an *.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ P2PE
Who can use it?:
Merchants using only hardware payment terminals included in and managed via a
validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Do not use SAQ B-IP if you only accept payments through ecommerce.
Requirements:
33 requirements, including:
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Provide PCI training to staff*
Lavawall™ significantly reduces the PCI scope and implements requirements marked with an *.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ A-EP
Who can use it?:
E-commerce merchants who outsource all payment processing to PCI DSS
validated third parties, and who have a website(s) that doesn’t directly receive
cardholder data but that can impact the security of the payment transaction. No
electronic storage, processing, or transmission of cardholder data on merchant’s
systems or premises.
Only use SAQ A-EP if you accept payments through ecommerce.
Requirements:
192 requirements, including:
- Basic computer security security
- Basic access management
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Quarterly vulnerability scans from an approved scanning vendor*
- Annual penetration testing.*
- Firewall and other network security requirements*
- Provide PCI training to staff*
Lavawall™ partially implements requirements marked with an *. However, other solutions are typically used for web hosting environments.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ B
Who can use it?:
Merchants using only:
Imprint machines with no electronic cardholder data storage, and/or
Standalone, dial-out terminals with no electronic cardholder data storage.
Do not use SAQ B if you accept payments through ecommerce.
Requirements:
40 requirements, including:
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
- Provide PCI training to staff*
Lavawall™ implements requirements marked with an *. However, since SAQ B applies to telephone and physical credit card machines, Lavawall™ does not significantly reduce the scope of compliance for SAQ B.
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.
SAQ A
Who can use it?:
Card-not-present merchants (e-commerce or mail/telephone-order), that have fully
outsourced all cardholder data functions to PCI DSS compliant third-party service
providers, with no electronic storage, processing, or transmission of any cardholder
data on the merchant’s systems or premises.
Do not use SAQ A if you only accept payments in person.
Requirements:
22 requirements, including:
- Basic computer security security
- Basic access management
- Classifying media by sensitivity
- Securing electronic and paper media containing cardholder data
- Tracking any sensitive media sent by courier
- Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.*
Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate.
Click here to get started today.