PCI DSS Background
The Payment Card Industry Data Security Standard (PCI DSS) is the payment card industry data security requirement for merchants that store, process or transmit cardholder information, and has been endorsed by all the major card brands - Visa Inc., MasterCard Worldwide, Discover Network, American Express and JCB. The PCI DSS is a framework for the secure handling of cardholder data. Find our more here - https://www.pcisecuritystandards.org/
Step 1: Confirm Level of PCI Compliance
The level of compliance determines the type of security assessment required (self-assessment, guided self-assessment or independent assessment), and indicates the level of risk for your organisation as preceived by the merchant bank.
| Description | Solutions | |
| Level 1 | Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1 |
For Level 1 merchants, our Compliance Validation Solution (CVS) is comprehensive in scope from document collection and analysis to vulnerability scanning and penetration testing to the final production of the Report on Compliance (ROC). Our PCI DSS validation for Level 1 review includes an on-site evaluation as required by PCI DSS. |
| Level 2 | 1 million - 6 million Visa or MasterCard transactions per year | For Level 2 and Level 3 merchants, PCI DSS validation includes a SAQ and vulnerability scanning through our on-demand portal, TrustKeeper. In addition, Trustwave assigns a security consultant to work with a retailer after the initial questionnaire and scan are completed. |
| Level 3 | 20,000 - 1 million Visa or MasterCard e-commerce transactions per year | |
| Level 4 | Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year | For Level 4 merchants, Trustwave's TrustKeeper provides the SAQ, vulnerability scanning, if necessary, and remediation services. Sponsored programs have access to Trustwave's Security Policy Advisor, online education and help references and Security Awareness Training |
If you are level 1, the you will need to appoint an approved QSA to carry out the report of compliance. Trustwave is the #1 QSA worldwide for PCI Report of Compliance, approved by the Payments Security Council for worldwide assessments. Click here to Contact Us. Otherwise, you can proceed with guided self-assessment.
Step 2: Select Compliance Questionaire
The method used to process, transmit and/or store card details determines the scope of PCI compliance (number of questions) which are applicable in the PCI Self-Assessment Questionaire (SAQ). If you are not sure, the PCI Wizard in Step 3 will help you select the correct questionaire.
| Questionaire | No Of Questions | Scope |
| SAQ A | 11 questions | Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports. |
| SAQ B | 27 questions | Merchant only accepts payment cards using an im-print machine and does not keep any card data electronically or, Merchants who use stand alone, dial out terminal connected to a phone line or proces-sor. Terminal has NO internet connection and no data is stored electronically. |
| SAQ C / C-VT | 41 questions | Payment application is connected to the internet but is not connected to any other systems in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices. |
| SAQ D | 222 questions | Any merchant that does not fit any of the above categories and any eligible service provider. |
Step 3: Review Solutions
The Trustkeeper portal contains the PCI Wizard which walks you through the selection of the correct questionaire, supported by helpful guidance and advice. Trustkeeper 24/7 PCI Helpline will also support you all aspects of the questionaire. If in doubt, purchase the Trustkeeper Portal, and it will guide you from there, click here >>>
Here are the typical solutions for retail merchants:
| Product | Feature | SAQ A | SAQ B | SAQ C | SAQ D |
| TrustKeeper Portal | PCI Wizard (for SAQ) |
• | • | • | • |
| Tutorials, Help & Advice | • | • | • | • | |
| Security Awareness Education | • | • | • | • | |
| Policy Template | • | • | • | • | |
| SAQ Reporting | • | • | • | • | |
| Exclusive PCI Breach Insurance | • | • | • | • | |
| Exclusive 24/7 Telephone Helpline (QSA) | • | • | • | • | |
| *NEW Remediation Task Manager | • | • | • | • | |
| Trustkeeper Agent |
File Integrity Monitoring (FIM) |
- | - | • | • |
| Log Monitoring | - | - | • | • | |
| Card Data Scanning | - | - | • | • | |
| Vulnerability Scan (ASV) | External Vulnerability Scanning - Cloud Portal |
- | - | • | • |
| Internal Scanning - Onsite Appliance |
- | - | • | • | |
| Unified Threat Management (UTM) |
Cloud Based Mgnt Portal (single or multi-site) |
- | - | • | • |
| Managed Firewall, 24/7/365 | - | - | • | • | |
| Gateway Anti-Virus | - | - | • | • | |
| Secure Virtual Private Network (VPN) |
- | - | • | • | |
| Intrusion Prevention System (IPS) | - | - | • | • | |
| Remote Access Control | - | - | • | • | |
| Web Content Filtering | - | - | • | • | |
| Web Application Firewall |
SSL Encryption Certificate |
- | - | - | • |
| OWASP Top 10 Vulnerability Protection |
- | - | - | • | |
| Intelligent Adaptive Learning Engine |
- | - | - | • | |
| Bi-directional Deep Packet Inspection | - | - | - | • | |
| Anti screen scrapping | - | - | - | • | |
| Marketing Intelligence | - | - | - | • | |
More complex requirements?
For more complex or multi-site solutions, why not ask about our 2-Day PCI Compliance Quick Start Workshop to get started on your PCI compliance journey. Click here to Contact Us
The Trustkeeper Portal is the key building block for effective PCI Compliance Management. It includes all the guidance notes you need to complete the process, including the PCI Wizard for easy guidance. Once you are registered you will have access to the free 24/7 telephone helpline to answer your specific questions. See all Trustwave solutions click here >>>
