Breadcrumb

PCI Compliance Self-Assessment Questionnaire

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedJul 20232 min read

A PCI self-assessment questionnaire is necessary for a business owner to process credit and debit cards through their company. It is a statement of compliance with Payment Card Industry (PCI) standards that all businesses must meet in order to demonstrate that they can securely process such payments.

To complete the PCI self-assessment questionnaire accurately, business owners must first understand the PCI standards, which are primarily there to protect sensitive cardholder data from being exposed via data breaches. Such breaches can cause financial harm to clients and customers, as well as quickly ruin a business.

Business owners filling out the PCI compliance self-assessment questionnaire will also need sufficient in-house IT security expertise to ensure their security measures are adequate. If there is a lack of such expertise in-house, then enlisting a specialist cyber security firm will be necessary to ensure that the standards are understood and adhered to.

What is PCI compliance?

PCI compliance means a business meets the requirements created by the PCI Security Standards Council. The council consists of five major credit card companies – American Express, MasterCard and Visa, plus Discover and JCB International – and is responsible for establishing the Data Security Standards (DSS) as well as enforcing them.

There are four levels to PCI compliance, depending on the size of the business in terms of annual transactions. These are:

Level 1 for huge businesses
Level 2 for big businesses
Level 3 for medium-sized businesses
Level 4 for small businesses

Level 1

The highest level is for huge businesses that conduct a minimum of 6 million transactions per year. Their DSS requirements include an annual internal audit facilitated by a qualified and approved PCI auditor. They may also be subject to quarterly PCI scans conduct by a qualified and approved scanning vendor.

Level 2

The second highest level is for big business conducting between 1 million and 6 million transactions every year. Their DSS requirements include annual risk assessments via the self-assessment questionnaire. They may also be subject to quarterly PCI scans conducted by an approved scanning vendor.

Level 3

Medium-sized businesses conducting between 20,000 and 1 million transactions every year are the subject of the third level of DSS requirements. They must complete risk assessments with the self-assessment questionnaire every year and accept quarterly PCI scans administered by an approved scanning vendor if required.

Level 4

Small businesses are those conducting less than 20,000 ecommerce transactions each year, as well as fewer than 1 million other transactions each year. They must conduct annual risk assessments via the self-assessment questionnaire and submit to an approved scanning vendor conducting quarterly PCI scans if required.

PCI compliance self-assessment questionnaire

There are nine different self-assessment questionnaires for specific types of businesses and transactional practices. Understanding which questionnaire is the right one for your business is the first step.

The questionnaires are differentiated by how businesses conduct their transactions. Each type is clearly outlined on the PCI Security Standards website so every business owner can see what each category includes.

For example, Questionnaire A is for Card Not Present merchants, such as e-commerce businesses and those trading via mail or telephone, that have fully outsourced all their customers’ cardholder data functions to a PCI-compliant, third-party service. They must not keep any electronic storage of cardholder data, nor conduct any processing or transmission of cardholder data on their own systems or premises.

It is crucial to complete the correct self-assessment questionnaire to avoid PCI fines and penalties.

We can help

GoCardless is a global payments solution, setting people and businesses free from the frustrations and cost of outdated payment methods. Find out how GoCardless can help you with one-off or recurring payments.