PCI DSS Assessment

PCI DSS Document Types

Understanding the different PCI DSS compliance documents and which one applies to your business. Each document type has specific requirements based on your payment processing environment.

Quick Decision Guide

Not sure which document you need? Our assessment tool will determine the exact requirements for your business.

Level 1

Report on Compliance (ROC)

Comprehensive assessment conducted by a Qualified Security Assessor (QSA)

Questions

All 12 Requirements

Timeline

3-6 months

Est. Cost

$15,000 - $50,000+

Version

4.0.1

Applicable For:

Merchants processing over 6 million transactions annually
Any merchant that has had a significant security incident
Service providers storing, processing, or transmitting card data

Requirements:

Must be conducted by certified QSA
All 12 PCI DSS requirements validated
On-site assessment typically required
Quarterly vulnerability scans by ASV
Annual validation required

Level 2-4

Self-Assessment Questionnaire A

For merchants with fully outsourced e-commerce using redirect payments

Questions

~24 questions

Timeline

1-2 weeks

Est. Cost

Internal time only

Version

4.0.1

Applicable For:

E-commerce merchants who redirect customers to third-party for payment
No electronic storage of cardholder data
No cardholder data on merchant systems

Requirements:

Complete 24 question self-assessment
Annual validation required
Attestation of Compliance (AOC)
No vulnerability scanning typically required

Level 2-4

Self-Assessment Questionnaire A-EP

For e-commerce merchants with partially outsourced payment processing

Questions

~140 questions

Timeline

2-4 weeks

Est. Cost

Internal time + ASV scanning

Version

4.0.1

Applicable For:

Website with embedded payment forms or iframes
Direct API integration with payment processors
No electronic storage of cardholder data

Requirements:

Complete 140+ question self-assessment
Annual validation required
Attestation of Compliance (AOC)
Quarterly vulnerability scans by ASV

Level 2-4

Self-Assessment Questionnaire B

For merchants using standalone, non-network connected payment terminals

Questions

~41 questions

Timeline

1-2 weeks

Est. Cost

Internal time only

Version

4.0.1

Applicable For:

Standalone payment terminals (dial-up or non-network)
No electronic storage of cardholder data
No e-commerce channel

Requirements:

Complete 41 question self-assessment
Annual validation required
Attestation of Compliance (AOC)
Physical security of terminals

Level 2-4

Self-Assessment Questionnaire B-IP

For merchants using IP-connected PTS payment terminals

Questions

~80 questions

Timeline

2-3 weeks

Est. Cost

Internal time + ASV scanning

Version

4.0.1

Applicable For:

IP-connected, PTS-approved payment terminals
No electronic storage of cardholder data
No e-commerce channel

Requirements:

Complete 80+ question self-assessment
Annual validation required
Attestation of Compliance (AOC)
Quarterly vulnerability scans by ASV

Level 2-4

Self-Assessment Questionnaire C-VT

For merchants using virtual payment terminals only

Questions

~84 questions

Timeline

2-3 weeks

Est. Cost

Internal time + ASV scanning

Version

4.0.1

Applicable For:

Virtual terminal for payment processing only
No electronic storage of cardholder data
No other card acceptance channels

Requirements:

Complete 84 question self-assessment
Annual validation required
Attestation of Compliance (AOC)
Quarterly vulnerability scans by ASV

Level 2-4

Self-Assessment Questionnaire C

For merchants with web-connected payment applications

Questions

~161 questions

Timeline

3-6 weeks

Est. Cost

Internal time + ASV scanning

Version

4.0.1

Applicable For:

Web-connected payment applications
No electronic storage of cardholder data
Not eligible for other SAQ types

Requirements:

Complete 161 question self-assessment
Annual validation required
Attestation of Compliance (AOC)
Quarterly vulnerability scans by ASV

Level 2-4

Self-Assessment Questionnaire D

For all other merchant environments not covered by other SAQs

Questions

~328+ questions

Timeline

2-4 months

Est. Cost

Internal time + ASV scanning + consulting

Version

4.0.1

Applicable For:

Electronic storage of cardholder data
Complex payment environments
Multiple payment channels
Not eligible for other SAQ types

Requirements:

Complete 328+ question self-assessment
All 12 PCI DSS requirements addressed
Annual validation required
Attestation of Compliance (AOC)
Quarterly vulnerability scans by ASV

Service Provider Level 1

Report on Compliance for Service Providers

Comprehensive assessment for Level 1 service providers and payment processors

Questions

All 12 Requirements + Appendix A

Timeline

4-8 months

Est. Cost

$25,000 - $100,000+

Version

4.0.1

Applicable For:

Payment processors like MagicPay.net
Service providers processing over 300,000 transactions
Level 1 service providers
Companies providing services to merchants

Requirements:

Must be conducted by certified QSA
All 12 PCI DSS requirements + Appendix A
Annual validation required
Network segmentation validation
Quarterly vulnerability scans by ASV
Executive summary to payment brands

Service Provider Level 2

Self-Assessment Questionnaire D for Service Providers

Self-assessment for Level 2 service providers

Questions

~400+ questions

Timeline

3-6 months

Est. Cost

Internal time + ASV scanning + consulting

Version

4.0.1

Applicable For:

Service providers under 300,000 transactions
Level 2 service providers
Hosting providers
Software/SaaS providers

Requirements:

Complete 400+ question self-assessment
All 12 PCI DSS requirements + Appendix A
Annual validation required
Attestation of Compliance (AOC) for Service Providers
Quarterly vulnerability scans by ASV
Multi-tenant environment validation

Ready to Determine Your Requirements?

Take our comprehensive assessment to find out exactly which PCI DSS document your business needs and get started with compliance.