"Fundamentals of PCI-DSS" Course Preview: Merchant Assessment

🎓 FULL "3-in-1 Fraud Prevention, Dispute Resolution, PCI-DSS Masterclass" Course 🎓 https://bit.ly/fraud-dispute-course Including: ✅ 11.5 hours of video ✅ 112 lessons (with PDF slides + quizzes) ✅ Instructor support with Vasco via message 🎥 ALL Preview Lessons on YouTube (Single Playlist) 🎥 https://bit.ly/pcidss-yt ------ Video transcript (possibly truncated due to char. limit): Let's cover how a merchant, or any organization assesses itself in terms of PCI-DSS compliance. There are usually two major mechanisms. The ROC, or Report on Compliance, and the SAQs, or Self-Assessment Questionnaires. But these are very different in nature, they're for different types of merchants, and even within SAQs, there is a little bit of complexity there. So let's take a moment just to review the assessment process itself. In terms of assessing yourself as an organization, for PCI-DSS, there are two major possibilities for what is required: A Self-Assessment Questionnaire, or SAQ, or a Report on Compliance, or ROC, which involves a physical visit from a qualified assessor. The major differences between both is that the SAQs are performed by the organization itself. You fill the questionnaire and you deliver it to your bank. They're simpler and faster. While Reports on Compliance have to be performed by a Qualified Security Assessor - or QSA. Naturally, as you're thinking, the SAQ route is a lot less costly, and demands less work. And the major criterion that defines whether an organization needs a Report on Compliance, or whether an SAQ is acceptable, is being a Level 1 merchant. Having over 60 million transactions per year. If you are Level 1, you must take a Report on Compliance. Let's cover the four merchant levels very quickly. Level 1 merchants are the biggest - they process more than 60 million transactions per year. Level 2 merchants process between 50 million and 60 million transactions per year. Level 3 merchants are between 20,000 and 15 million. And level 4 are the smallest - less than 20,000 per year. As mentioned, any merchant from level 2 through 4 can perform a Self-Assessment Questionnaire, which is submitted to their acquiring bank - or if they're payment providers, this is delivered to the card company itself. But level 1 merchants must take a Report on Compliance, performed by a QSA, and involving on-site inspection. Now, here is the thing: even for these merchants from level 2-4 taking the SAQ, itself, is not that simple. And the reason for this is that there are 8 types available. And these depend on the type of organization, and how they handle cardholder data (CHD). There's a few groups for merchants that handle Card Non-Present (CNP) transactions versus Card Present (CP) transactions. And two types which are global. So, first, for Card Not-Present transactions, the first is the SAQ-A, which is for fully outsourced payments. You have a website that redirects to PayPal, for example, and the SAQ-A-EP, which is for partially outsourced merchants. This is, for example, where you do have a third party for payments, but you communicate the card data through an HTTP POST request, for example. So it does pass by your website. That's the difference between these two. We'll take a look at this in more detail later on, but the rule of thumb is that websites are either SAQ-A, SAQ-A-EP, or SAQ-D. You immediately fall into SAQ-D if you store card data. Otherwise, you fit into one of these previous ones. But I'm getting ahead of myself! Next comes the SAQ-C. So, these are payment apps connected to the Internet. They're not websites per se, but they're specific applications that are simply connected to the Internet, for only one purpose - to communicate transactions. For example, the SAQ-C-VT, in specific, is for isolated virtual payments, by mail or telephone. Think of someone in a call center, that's taking in credit card data, over the phone, and posting that on a website, through a very specific secure connection. Then, for Card Present transactions, we have, first, the SAQ-B which is for "old machines". Really! It's for imprint machines, that take a carbon copy of your card - very old ones - or terminals that are connected by dial connections. For example, in small newspaper shops. The SEQ-B-IP is for PTS-approved terminals, that connect through an IP connection - therefore the "IP". These are approved by PTS standards, and they're payment terminals that connect via IP, via an internet connection. Then, we have the SAQ-P2PE. This is for hardware terminals that are managed by P2PE systems (or peer-to-peer encryption systems). These terminals are special. They use strong encryption, and they have their own SAQ. They're kind of the sophisticated version of these two. And then we have the catch-all categories. SAQ-D. This is the category for merchants - or providers - that don't fit any other category. If you can avoid being categorized as SAQ-D, you are going to want that!