What is a PCI classification needed for?
The PCI classification determines which measures (assessment methods) are required to formally and correctly demonstrate PCI compliance for your company. This allows you, as a merchant or service provider, to find out whether your company can achieve PCI certification independently through a Self-Assessment Questionnaire (SAQ) or only with the support of an external security expert (QSA).
Are we a merchant or a service provider?
This depends on the role your company takes on in the PCI context. If you have entered into a merchant agreement with an acquiring bank (acquirer) and accept card payments, you are considered a merchant. However, if you support other companies with card acceptance in receiving or processing card data, you are classified as a service provider.
I need to renew my SAQ. Can I transfer data from last year?
Yes, if you completed an SAQ according to PCI DSS v4.x and the PCI version has not changed in the meantime, it is possible to transfer the data from the previous year.
How can I view the SAQ data from last year?
To see the information you provided previously in your Self-Assessment Questionnaire (SAQ), please navigate to the "PCI Documents" section on the PCI platform. There you can download the full Attestation of Compliance (AoC) or view the data entered in the SAQ directly (from PCI v4.x onward).
Do all questions in the SAQ have to be answered?
Yes, all questions must be answered; otherwise, you cannot complete the Self-Assessment Questionnaire. However, you can interrupt your responses at any time; your progress is automatically saved on the PCI platform.
What topics should I expect in an SAQ?
The questionnaire addresses the 12 main requirements of the PCI Data Security Standard (PCI DSS). As there are different types of SAQs, their content and scope will vary. Which SAQ type applies to your company depends on your payment processing methods. The PCI platform provides an assistant to help you identify the appropriate SAQ type.
How can I get help filling out the SAQ?
Unfortunately, free support through the PCI Competence Center is not available. However, our PCI DSS certified security experts are available to assist you with specific questions. For more information, please visit our consulting services.
Our travel agency needs to provide proof of PCI DSS compliance to IATA.
Usually, IATA requires your company’s Attestation of Compliance (AoC) as evidence. You will receive this document in PDF format after successfully completing the Self-Assessment Questionnaire (SAQ) on the PCI platform.
How to download the PDF:
- Log in to the PCI platform.
- In the “PCI Verification” section, select “Self-Assessment (SAQ).”
- Start and complete the self-assessment for your company. If you have already completed an SAQ according to PCI v4.0, the previous year’s data can generally be imported.
- The PDF document will then be available for download in the “PCI Documents” section.
Please note: IATA does not require a certificate as proof of PCI compliance at any time. The certificate is only a marketing tool and is not an official proof document for PCI DSS.
What is a payment page?
A payment page is a web form where the cardholder enters their full card number (PAN). In the context of e-commerce, it refers to the entry field displayed during the checkout process for entering card payment details.
If payment processing is outsourced to a PCI-certified payment service provider, these payment pages are typically integrated into the checkout page as an iframe, URL redirect, or directPOST. However, it is also possible for the payment form to be displayed directly within the checkout process, with the card data then securely transmitted to the acquirer via server-to-server communication.
What are payment page scripts?
The term "payment page scripts" appears in PCI DSS v4.x under the new requirement 6.4.3. It refers to any scripts embedded on the payment page. These may be provided by the merchant, the payment service provider, or third parties.
Such scripts can serve various functions, for example:
- Generating an iframe for card data entry (e.g., in SAQ A)
- Validating and checking the correctness of card data input
- Serving advertising, statistics, or design adjustments
A defining feature is that these scripts can be loaded externally and/or executed on the payment page. Because they directly impact the security of card payments, special attention and protection measures are required.
What risks are associated with using payment page scripts, and how can you protect against them?
Payment page scripts carry the risk that attackers could exploit seemingly harmless scripts to upload and run malicious code undetected. Such malicious scripts could then capture card data directly from customers’ browsers.
To minimize this risk, you should:
- Limit the number of scripts used on your payment page to only those essential for its functionality and ensure you understand their purpose and origin.
- Make sure that unnecessary scripts are not added to the payment page without prior approval (e.g., from management).
- Maintain an inventory and monitoring process for all scripts implemented on your payment page.
The PCI Council has published detailed guidance on securing scripts, which you can find at the following link.
We have integrated an iframe from a PCI certified provider in our checkout (SAQ A). Do we need to inventory and monitor the provider’s scripts?
No, this is generally not required. The PCI-certified service provider ensures that their scripts comply with PCI requirements and are regularly reviewed.
However, you should still carefully check and monitor all other scripts—both your own and those from third parties—running on your checkout page. If those scripts are compromised, they could impact the security of the iframe. Preventing this is essential.