Skip to main content

PCI:DSS for merchants

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) comprises a set of security guidelines intended to ensure that all entities handling credit card information maintain a secure environment.

The Payment Card Industry Security Standards Council (PCI SSC) was established to oversee the ongoing development of PCI security standards, with a goal of enhancing payment account security throughout the transaction process. PCI DSS is governed by the PCI SSC (www.pcisecuritystandards.org), an independent entity created by major payment card brands (Visa, MasterCard, American Express, Discover, and JCB).

What are PCI levels and how are they determined?

PCI levels are categories defined by the PCI SSC to specify the level of security measures organizations must adopt to safeguard sensitive payment card data. These levels are based on the annual volume of card transactions processed.

What are the four different PCI levels and their corresponding requirements?

The four PCI levels are Level 1, Level 2, Level 3, and Level 4. Each level has specific requirements, with Level 1 being the most rigorous and Level 4 being the least demanding. Below are the requirements for each level:

PCI LevelApplicable toRequirements
1Organizations processing more than 6 million transactions annuallyAnnual on-site security assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scan Vendor (ASV).
2Organizations processing between 1 and 6 million transactions annuallyAnnual self-assessment questionnaire (SAQ) and quarterly network scans by an Approved Scan Vendor (ASV).
3Organizations processing between 20,000 and 1 million transactions annuallyAnnual self-assessment questionnaire (SAQ) and quarterly network scans by an Approved Scan Vendor (ASV).
4Organizations processing fewer than 20,000 transactions annuallyAnnual self-assessment questionnaire (SAQ) and quarterly network scans by an Approved Scan Vendor (ASV).

What is an SAQ?

A Self-Assessment Questionnaire (SAQ) is a document that merchants complete to evaluate their compliance with PCI DSS standards. The required SAQ(s) depend on the merchant's PCI compliance level, which is based on their annual transaction volume and the payment integration methods used (e.g., e-commerce and point of sale).

What are the different types of SAQ?

The various types of SAQs and their applicability are listed below. More information on the different SAQ types can be found in the Understanding SAQs for PCI DSS guide.

SAQ TypeSummary of ApplicabilityQuestions
SAQ AMerchants processing e-commerce transactions without storing cardholder data22
SAQ A-EPMerchants processing e-commerce transactions using a PCI-compliant third-party service provider, without storing cardholder data139
SAQ BMerchants using standalone, dial-out payment terminals without storing cardholder data41
SAQ B-IPMerchants using standalone, IP-enabled payment terminals without storing cardholder data85
SAQ C-VTMerchants processing transactions via a virtual terminal on an Internet-connected device, without storing cardholder data87
SAQ CMerchants processing transactions through a single computer-installed payment application, without storing cardholder data121
SAQ P2PEMerchants using only hardware payment terminals managed via a PCI SSC–listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage33
SAQ DMerchants not fitting into the above SAQ categories329

How does Monek help Merchants achieve PCI compliance?

Monek simplifies PCI compliance for merchants using its payment platform for both e-commerce and point of sale processing.

E-Commerce

Monek's solution includes payment forms / pages hosted on its PCI DSS compliant platform, allowing cardholders to enter sensitive payment information directly within a secure environment. This reduces the merchant's PCI scope since they do not transmit, process, or store sensitive cardholder data for e-commerce transactions.

Point of Sale Terminals

All Monek payment terminals comply with the latest Pin Transaction Security (PCI PTS) standards and use end-to-end encryption. This means that cardholder data is encrypted at the payment terminal and sent directly to the Monek Bank for decryption and processing. This method reduces the merchant's PCI scope as they do not handle sensitive cardholder data for point of sale transactions.

Do I need to be PCI compliant if I use Monek?

While Monek is a certified PCI Level 1 Service Provider, the highest level of PCI DSS compliance, PCI DSS standards apply to any organization that accepts, transmits, processes, or stores cardholder data. Each organization is responsible for ensuring their own PCI compliance.

By using Monek for all payment processing, and depending on annual transaction volume, Monek can handle much of the compliance burden, significantly reducing risk exposure and the effort required to validate compliance. However, merchants must still:

  • Complete an annual SAQ based on the payment integration methods used.
  • Conduct quarterly network scans by an Approved Scan Vendor (ASV).
  • Implement appropriate security measures to protect cardholder data.
  • Ensure all employees are trained in PCI compliance and understand their responsibilities.
  • Report any security breaches to the appropriate parties promptly.
  • Merchants who are PCI Level 3 or higher, must submit the completed SAQ to Monek

Where can I find information on PCI Qualified Professionals?

A list of PCI Qualified Professionals, including QSAs and ASVs, is available on the PCI Security Standards Council website via PCI Qualified Professionals Listings Overview.

What happens if I'm not PCI compliant?

Non-compliance with PCI DSS standards can result in fines, increased transaction fees, and reputational damage. In severe cases, it can lead to the suspension or termination of your account with your payment processor.

For more information on SAQs, refer to the Understanding SAQs for PCI DSS guide from the PCI Security Standards Council.