Question 1

What are PCI DSS merchant levels and how do they affect my compliance path?

Accepted Answer

Merchant levels are determined by annual transaction volume across all payment channels. Level 1 merchants process over 6 million Visa or Mastercard transactions annually and are required to undergo an annual on-site assessment (Report on Compliance) by a Qualified Security Assessor (QSA) plus quarterly network scans by an Approved Scanning Vendor (ASV). Levels 2-4 merchants have lower volume thresholds and can self-assess using Self-Assessment Questionnaires (SAQs). However, card brands and acquirers can escalate any merchant to Level 1 requirements following a breach. Service providers have separate level criteria based on transaction volume processed on behalf of others.

Question 2

What is the difference between SAQ A, SAQ D, and other SAQ types?

Accepted Answer

The SAQ type depends on how your organization accepts and processes card payments. SAQ A is the simplest - for card-not-present merchants that fully outsource all cardholder data processing to PCI-compliant third parties (e.g., payment page hosted entirely by a processor, no card data ever reaches your systems). SAQ D is the most comprehensive - for merchants that store, process, or transmit cardholder data electronically (all 12 requirements apply). SAQ A-EP covers e-commerce merchants with partially outsourced payment pages. Choosing the wrong SAQ type is a common and consequential mistake - Dark Rock identifies the correct SAQ based on your actual payment flows.

Question 3

What changed in PCI DSS v4.0?

Accepted Answer

PCI DSS v4.0 introduced several significant changes: a new Customized Approach that allows alternative controls for organizations with mature security programs (replacing the prior Compensating Controls approach), stricter MFA requirements now applying to all administrative access (not just remote access), mandatory targeted risk analyses for requirements that previously had fixed timelines, new Requirements 6.4.3 and 11.6.1 addressing e-commerce script management and payment page tampering detection, anti-phishing controls (Requirement 5.4.1), and enhanced authentication requirements. All new requirements marked 'future-dated' became mandatory on March 31, 2025.

Question 4

What is an ASV scan and why is it required?

Accepted Answer

An Approved Scanning Vendor (ASV) scan is an external vulnerability scan of your internet-facing systems that are in-scope for PCI DSS, conducted by a PCI SSC-approved vendor. Quarterly ASV scans are required by PCI DSS Requirement 11.3.2 for all merchants and service providers except SAQ A. The scan must produce a passing result (no high or critical vulnerabilities on in-scope systems) each quarter. Dark Rock manages your ASV scan cadence, remediates discovered vulnerabilities before rescans, and maintains your quarterly passing scan records for assessor review.

Question 5

If we use a third-party payment processor, do we still need PCI DSS compliance?

Accepted Answer

Possibly - it depends on how completely your payment environment is outsourced. If your checkout page redirects entirely to a hosted payment page and no cardholder data ever touches your systems or network (including via scripts), you may qualify for SAQ A with a very limited control set. However, if your checkout page loads any scripts from your own environment, or if you store any card data for any purpose, you have a larger scope. Many merchants believe they are 'out of scope' because they use Stripe or Braintree, but are actually SAQ A-EP or SAQ D due to their payment page implementation. Dark Rock determines your true scope based on your actual technical architecture.

Question 6

What happens if we have a payment card data breach?

Accepted Answer

Following a breach involving cardholder data, your acquiring bank will notify your payment brand (Visa, Mastercard, etc.), which initiates a forensic investigation. A PCI Forensic Investigator (PFI) - a QSA firm authorized to conduct forensic investigations - will assess your environment. If you are found to be non-compliant at the time of the breach, you may face: fraudulent card replacement liability (card brands charge merchants for the cost of reissuing compromised cards, which can reach millions of dollars), monthly non-compliance fines from your acquirer, and suspension of payment processing rights. Compliance documentation significantly reduces your liability exposure even when breaches occur.

PCI DSS v4.0: Secure Cardholder Data, Maintain Processing Rights

Why PCI DSS Compliance Is Non-Negotiable for Payment Card Environments

Our Approach

Assess

Remediate

Implement

Certify

What You Get

Get PCI DSS Ready

Related Frameworks

Frequently Asked Questions