In the dynamic world of online transactions, safeguarding payment data is non-negotiable. Payment Card Industry Data Security Standard (PCI DSS) is a pivotal framework ensuring the security of sensitive information and preventing potential data breaches. Recently, the PCI Security Standards Council rolled out version 4.0 of the PCI DSS, introducing significant updates to the compliance landscape.
Every merchant must safeguard payment data
Although your payment gateway is already PCI DSS compliant (We hold PCI DSS level 1 compliance – the highest level), you as a merchant or service provider have to ensure that your systems are also secure to keep cardholders data safe. Eligible merchants and service providers have to conduct PCI DSS self-assessment based on the self-assessment questionnaire. There are several versions of Self-Assessment Questionnaires (SAQ) and every organization has to determine which SAQ applies to their environment the best.
The definitions of different scenarios and additional descriptions are described in the document “SAQ Instructions and Guidelines”. Most often regular e-commerce merchants have to fill in either SAQ-A or SAQ A-EP.
SAQ – A: Card-not-present merchants (e-commerce or mail/telephone-order) that completely outsource all account data functions to PCI DSS validated and compliant third parties. No electronic storage, processing, or transmission of account data on their systems or premises.
SAQ A-EP: E-commerce merchants that partially outsource payment processing to PCI DSS validated and compliant third parties, and with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. No electronic storage, processing, or transmission of account data on the merchant’s systems or premises.
All the documentation (including SAQ forms) can be found in the PCI DSS Self-Assessment Questionnaire Library.
PCI DSS v4 SAQ updates
PCI DSS v4.0 is replacing the previous version, PCI DSS v3.2.1 from 1st April 2024. The SAQ’s have been updated to reflect version 4.0 of the PCI DSS. This update introduces additional requirements across most SAQs to bolster data security measures.
For more information visit the PCI DSS v4 Resource Hub and PCI DSS Blog.