Under the PCI DSS standard, any business that processes, stores or transmits credit card data must comply with the standard. The general rule is that when a business accepts cards in any way, it is required to be certified. The specifications are defined based on the way the business accepts credit cards. Thus, a physical store with a POS does not have the same security requirements as a business that makes, for example, electronic payments with redirection to the bank environment or to a Service Provider.
Categorization based on number of transactions
The first basic categorization has to do with the number of electronic transactions a merchant makes using credit cards per year. Thus, there are 4 levels in total with the lowest being 4 and the highest being 1. The biggest difference in the 4 levels has to do with Level 1 in which the AOC is issued exclusively by qualified security accessors (QSA's) and is called ROC (Report of compliance).
| Merchant Level |
Transactions per year |
Redirect | IFRAME | Direct Post | JavaScript | XML |
|---|---|---|---|---|---|---|
| 1 | Over 6 million | RoC A | RoC A | RoC A-EP | RoC A-EP | RoC D |
| 2 | 1–6 million | SAQ-A | SAQ A | SAQ A-EP | SAQ A-EP | SAQ D |
| 3 | 20,000-1 million | SAQ-A | SAQ A | SAQ A-EP | SAQ A-EP | SAQ D |
| 4 | Up to 20,000 | SAQ-A | SAQ A | SAQ A-EP | SAQ A-EP | SAQ D |
Electronic transactions
The first contact of the majority of businesses with PCI DSS will be when they are required to integrate electronic payments, such as on a website. The electronic transmission, processing and storage of credit card data is also the greatest risk compared to transactions with the physical presence of the credit card, for obvious reasons. A common myth that many people believe is that if a business does Redirect in the bank's environment, it does not need to comply with PCI DSS. For electronic transactions there are 3 basic questionnaires that practically define the specifications that we will analyze below.
Redirects & iFrames
For merchants without physical card presence. All credit card data is fully processed via redirection or iframe by a 3rd party PCI validated service provider.
Direct Post & Javascript
For merchants, who while they have outsourced part of the payment process to banks or validated external providers, the end customer still enters the card details into the merchant's environment.
XML API
For merchants, who receive credit cards directly into their systems and either store them, process them, or simply transmit them.
Physical or Card Present transactions
Although most people are not aware of it, credit card transactions carried out in physical business premises with the well-known terminal devices, or POS, are subject to PCI DSS specifications and even specific criteria that have to do with the type of POS.
DIAL-UP POS
For the category of older technology POS, which complete the transaction via a call over the conventional PSTN or ISDN telephone network.
INTERNET CONNECTED POS
Modern and more widespread POS terminals complete transactions via the internet, either via wifi, a cable data connection, or an integrated sim card (3G - 4G - 5G).
Mail Order & Telephone Order transactions (MOTO)
This category concerns transactions where the customer is not physically present at the business premises to use their card, but transacts over the phone. In this case, the merchant receives the card over the phone and typically enters it into a Virtual POS provided by a PCI Validated service provider.
VIRTUAL TERMINAL
The merchant completes the transaction by entering the customer's card details into a Virtual Terminal from their computer or any other approved device.
LAN CONNECTED PAYMENT APPLICATION
Network devices or applications connected to the merchant's local network, such as ERP systems, etc.
