The steps you need to complete to become PCI compliant depend on your self-assessment questionnaire (SAQ) profile. Below is information on the different SAQ profile types.
eCommerce website with payments entirely outsourced.
Customers enter their information into a website to make purchases, payments, or donations. All eCommerce pages are handled by a third party, PCI-validated service provider.
eCommerce website with payments partially outsourced.
Customers manually enter their information into a website to make purchases, payments, or donations. A third party, PCI-validated service provider handles purchases, payments, or donations, but is passed information from the merchant website.
Information can be entered into the merchant’s website for the merchant’s website to pass to the third party, or customers can be redirected to a third party website to complete a purchase, payment, or donation.
You use an imprint machine or standalone terminal not connected to the Internet with no electronic storage for cardholder data.
You use a standalone, IP-connected terminal with no electronic storage for cardholder data. Cardholder data is also not stored on a computer.
You use Point Of Sale (POS) software, typically installed on a computer. The software usually combines with other external devices such as cash registers and terminals. The software will commonly have additional features specific to a type of business.
You use a web browser to access a merchant services website and manually enter in information to authorize purchases, payments, or donations.
Customers manually enter payment information into a checkout or payment page that is not outsourced to a third party service provider.
You use a Point to Point Encryption (P2PE) solution. These solutions encrypt cardholder data at the point of interaction and are decrypted by the solution provider.
The following SAQ profiles require a quarterly website scan: