PCI DSS Version 4 QSA and SAQ

The PCI DSS certification is the only authorized compliance assessment for merchants and service providers who process credit cards. It is required for all businesses processing credit cards to be certified annually.

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Modules include:

Level 1 Merchant and Service Provider ROC and AOC
Level 2, 3, and 4 SAQ A
Level 2, 3, and 4 SAQ A-EP
Level 2, 3, and 4 SAQ B
Level 2, 3, and 4 SAQ B-IP
Level 2, 3, and 4 SAQ C
Level 2, 3, and 4 SAQ C-VT
Level 2, 3, and 4 SAQ D Merchants
Level 2, 3, and 4 SAQ D Service Providers

Level 1 Merchant

PCI DSS RoC
PCI DSS AoC Merchants
PCI DSS Appendix E: Explanation of Requirements Not Tested
PCI DSS Appendix D: Explanation of Non-Applicability
PCI DSS Appendix C: Compensating Controls Worksheet
PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
PCI DSS Action Plan for Non-Compliant Requirements

Level 1 Service Provider

PCI DSS RoC
PCI DSS AoC Service Providers
PCI DSS Appendix E: Explanation of Requirements Not Tested
PCI DSS Appendix D: Explanation of Non-Applicability
PCI DSS Appendix C: Compensating Controls Worksheet
PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
PCI DSS Action Plan for Non-Compliant Requirements

Level 2, 3 and 4

SAQ A and AOC SAQ A: Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
SAQ A-EP and AOC SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
SAQ B and AOC SAQ B: Merchants using only imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ B-IP and AOC SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ C and AOC SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ C-VT and AOC SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS-validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ D Merchant and AOC SAQ D - Merchants: All merchants not included in descriptions for the above SAQ types.
SAQ D Service Provider and AOC SAQ D - Service Providers AOC extra form for Service Providers - Section 2g: All service providers defined by a payment brand as eligible to complete an SAQ.

PCI DSS Readiness Compliance & Advice

The Payment Card Industry Data Security Standard (PCI DSS) is a set of specific, rigorous requirements that businesses must use to protect credit card data. These measures are meant to prevent fraud and data breaches. Online and offline merchants, and any service providers handling cardholder data, need to be in compliance.

Compliance involves firewall configuration, network security, careful monitoring, and regular scans to detect vulnerabilities. The level of compliance needed is determined by the volume of card transactions processed in a year, from the lowest level of less than 20,000 to the highest (6 million or more).

Fast Features for Fast Compliance

Get into PCI DSS compliance more quickly by using automated assets that will evaluate your system, detect gaps, and provide reports. Use streamlined systems for continuous monitoring to provide real-time reporting, which allows for faster resolution of card data security issues.

Stay focused on the key areas of risk management (identification and remediation) for quick action. Include your vendors in these standards.

Elevate your security controls, such as doing regular software updates with the latest security upgrades and patches. Make more robust passwords standard practice. Reduce possible data breaches and exposure by storing only essential information.

These are quick steps to PCI DSS compliance.

Identify, Leverage & Document the Policies

PCI compliance centers around implementing some key policies to protect payment card industry data. The main goal is to protect cardholder information. This approach to vulnerability management requires regular software and antivirus updates, restricting who can access cardholder data, and ensuring that network systems are secure with any and all transmissions encrypted.

PCI DSS requirements demand systems that will provide real-time information on areas that need improvement. See what your organization has and what you need.. Documenting internal security policies is also essential to prove that you meet the PCI data security standard.

PCI audits from Continuum GRC can greatly streamline this process.

FAQ

How long is a PCI DSS report valid?

The report used to achieve PCI compliance is good for one year. PCI security standards must be reviewed annually to assess risk, employee training, and the card industry data security status within the organization. As cyber threats evolve, PCI DSS requirements and PCI dat security standards also evolve.

How often does an audit need to be performed?

It depends on the amount of transactions processed each year. Level 1 merchants (those at the highest levels of 6 million plus) are required to have annual, onsite PCI audits. Service providers to Level 1 merchants must also have an annual audit, as do any organization that has had a data breach. Other levels can do quarterly self-assessments.

What are the levels of PCI compliance?

There are four levels of PCI compliance, based on the annual volume of credit card transactions that are performed.

Level 1: Over 6 million transactions.
Level 2: 1 million to 6 million transactions.
Level 3: 200,000 to 1 million transactions.
Level 4: Less than 200,000 transactions.

What do I receive when my PCI audit is complete?

After your PCI DSS compliance audit is completed, you’ll receive a comprehensive Report on Compliance. The ROC highlights any security gaps and recommendations to remedy them. You’ll get other action items for meeting PCI security standards. The ROC will include supporting documentation that reflects PCI DSS compliance to share with stakeholders.

How much does a PCI audit cost?

The cost of PCI audits varies depending on the size of the business. The bigger companies will pay anywhere from $50,000 to $200,000. Smaller businesses will pay $20,000 or less. A lot of smaller companies can self-assess using a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AoC).

Who is involved in a PCI audit?

In an audit for PCI DSS compliance, a qualified security assessor is involved. Within the organization that’s being audited, internal IT members and compliance teams will be part of it, as well. Finally, the PCI Security Standards Council (PCI SSC) sets the standards of the audits and oversees the integrity of it.

What are you waiting for?

You are just a conversation away from putting the power of Continuum GRC to work for you.

About the Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Below is a concise compliance overview of PCI DSS, focusing on its key components, requirements, and compliance process.

Overview of PCI DSS

PCI DSS was established by the Payment Card Industry Security Standards Council (PCI SSC), founded by major card brands (Visa, MasterCard, American Express, Discover, and JCB). It applies to any organization that handles cardholder data, including merchants, processors, acquirers, issuers, and service providers. The standard aims to protect cardholder data and reduce the risk of data breaches.

The current version of PCI DSS (as of August 2025) is 4.0, which was released in March 2022 and fully effective as of March 31, 2024, with a transition period for new requirements extending to March 31, 2025.

Key Objectives of PCI DSS

PCI DSS is built around six core objectives:

Build and Maintain a Secure Network and Systems
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy

12 Core Requirements of PCI DSS

These objectives are broken down into 12 high-level requirements, each with detailed sub-requirements:

Install and maintain network security controls (e.g., firewalls, secure configurations).
Apply secure configurations to systems (e.g., remove default accounts, disable unnecessary services).
Protect stored cardholder data (e.g., encryption, truncation, or tokenization).
Encrypt transmission of cardholder data across open or public networks (e.g., using TLS).
Protect systems against malware and regularly update anti-virus software.
Develop and maintain secure systems and software (e.g., apply security patches, follow secure coding practices).
Restrict access to cardholder data by business need-to-know.
Identify users and authenticate access to system components (e.g., unique IDs, strong passwords).
Restrict physical access to cardholder data (e.g., secure data centers, limit employee access).
Monitor and log access to network resources and cardholder data.
Regularly test security systems and processes (e.g., vulnerability scans, penetration testing).
Support information security with organizational policies and programs.

Compliance Levels

PCI DSS compliance is categorized into four merchant levels based on transaction volume (per card brand annually):

Level 1: Merchants processing over 6 million transactions or those that have experienced a data breach.
Level 2: Merchants processing 1 to 6 million transactions.
Level 3: Merchants processing 20,000 to 1 million e-commerce transactions.
Level 4: Merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions.

Service providers (e.g., payment gateways, hosting providers) are classified into:

Level 1: Those processing over 300,000 transactions annually.
Level 2: Those processing fewer than 300,000 transactions.

Compliance Process

Assess: Identify cardholder data, assess systems and processes, and evaluate compliance with PCI DSS requirements.
Remediate: Address gaps or vulnerabilities found during the assessment.
Report: Submit compliance documentation, such as a Self-Assessment Questionnaire (SAQ) for smaller merchants or a Report on Compliance (ROC) for Level 1 merchants, validated by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).
Monitor and Maintain: Continuously monitor systems, perform quarterly vulnerability scans, and conduct annual reassessments.

Key Changes in PCI DSS 4.0

Customized Implementation: Allows organizations to use alternative controls to meet requirements, provided they achieve the same security objectives.
Increased Flexibility: Focus on risk-based approaches, enabling organizations to tailor controls to their environment.
Future-Dated Requirements: Some requirements (e.g., enhanced authentication methods) became mandatory after March 31, 2025.
Enhanced Validation: Greater emphasis on continuous compliance rather than point-in-time assessments.

Non-Compliance Consequences

Failure to comply with PCI DSS can result in:

Fines from card brands (ranging from $5,000 to $100,000 per month).
Increased transaction fees.
Loss of card processing privileges.
Reputational damage and legal liabilities in case of a data breach.

Best Practices for Compliance

Minimize Data Storage: Only store cardholder data when absolutely necessary.
Use Strong Encryption: Protect data at rest and in transit.
Regular Training: Educate employees on security policies.
Engage Experts: Work with QSAs or consultants for complex environments.
Continuous Monitoring: Implement ongoing vulnerability scanning and logging.

Resources

PCI SSC Website: For detailed standards, SAQs, and guidance.
Card Brand Requirements: Check specific requirements from Visa, MasterCard, etc.
QSA/ISA: Engage a certified assessor for validation.

Your Roadmap to Risk Reduction!