Comprehensive PCI DSS Merchant Training Guide

Whether your business processes 10 card transactions per year or 10 million, you’re required to comply with PCI-DSS requirements.

The more card transactions you process, the more risk there is for potential data breaches and security incidents. To help address this, the Payment Card Industry Data Security Standard (PCI-DSS) categorizes businesses into PCI compliance levels.

Understanding what compliance level your business falls under is a crucial first step in your PCI compliance journey.

Below, we break down the criteria to help you determine your PCI compliance level.

PCI Merchant vs. Service Provider

Before determining your PCI-DSS level, you must identify which category your business falls into merchant or service provider.

Merchants are businesses that accept card payments from any of the five members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa).

Service providers are not card payment brands, but can be directly involved with the processing, storage, and transmission of cardholder data on behalf of a merchant, generally impacting the security of their customers' cardholder data.

Service providers also include companies that provide services that could impact the security of cardholder data.

The payment card brands split merchants and service providers into different reporting levels based on the number of transactions they handle each year.

Part 1: PCI DSS Fundamentals (All Merchants)

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI-DSS) is a global set of security requirements created by the major payment card brands (like Visa, Mastercard, and American Express). The purpose of the standard is to protect sensitive cardholder data and reduce fraud. Any merchant that accepts, stores, processes, or transmits credit card information must comply.

The 12 Core Requirements

The PCI DSS is built on 12 key requirements, categorized into six groups for protecting cardholder data. These requirements cover building and maintaining secure networks, protecting data, managing vulnerabilities, implementing access controls, monitoring networks, and maintaining an information security policy.

The Consequences of Non-Compliance

Failure to comply with PCI DSS can lead to fines, penalties from banks and card brands, liability for data breaches, loss of the ability to process payments, and damage to reputation.

Your role in compliance

Every employee handling payment card information is responsible for compliance, including following procedures, reporting suspicious activity, and completing training.

Part 2: Determining your merchant level

The Merchant levels are:

Level 1: Over 6 million transactions annually

Requires an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), quarterly network scans by an Approved Scanning Vendor (ASV), and an annual Attestation of Compliance (AOC). Rather than completing a self-assessment questionnaire (SAQ), Level 1 merchants must complete an annual Report on Compliance (RoC).

Level 2: 1–6 million transactions annually.

For Level 2 merchants completing an SAQ: a third-party QSA (Qualified Security Assessor) may be required to validate and sign off on the SAQ. MasterCard requires Level 2 merchants to follow Level 1 validation requirements, which means obtaining a QSA’s attestation. For details, refer to the Mastercard Guide.

Level 3: 20,000–1 million transactions annually

Level 4: Fewer than 20,000 transactions annually

Part 3: Choosing Your SAQ and Understanding Requirements

The Self-Assessment Questionnaire (SAQ) you should use depends on how your business processes credit card payments—specifically whether you handle payments in person, online, or via phone/mail, and whether you store cardholder data on your own systems.

Common SAQ Types

  • SAQ A: For online/e-commerce merchants who outsource all payment processing and do not store, process, or transmit cardholder data on their own systems.
  • SAQ A-EP: For e-commerce merchants whose website handles payment information (even if data goes directly to a third party) but does not store/process it.
  • SAQ B: For merchants using standalone, dial-out payment terminals or imprint machines, with no electronic cardholder data storage.
  • SAQ B-IP: For merchants using standalone internet-connected payment terminals that do not store electronic cardholder data.
  • SAQ C-VT: For merchants using a virtual terminal on a single computer for one-off payment entry, without storing data.
  • SAQ D: For merchants or service providers that store cardholder data electronically or do not qualify for other SAQs (covers complex environments).

To determine the correct SAQ

  1. Identify your business type: Are you a merchant or a service provider?
  2. Understand your payment flow: How do you receive credit card data (in-person, online, phone order)?
  3. Determine data storage: Do you store cardholder data electronically on your systems or premises?
  4. Consult official resources: Review detailed descriptions for each SAQ on the PCI Security Standards Council website to ensure you meet the specific eligibility criteria for your environment.

Which Merchants Require Penetration Testing?

  • SAQ-A-EP/D: Requires annual internal and external penetration testing.

Part 4: Training by SAQ Type

Once the SAQ type is identified, merchants can focus on relevant training modules:

  • SAQ A / A-EP: Focuses on protecting against phishing and malware, website security (not storing card data), and verifying third-party compliance.
  • SAQ B / B-IP / C-VT: Covers physical security of terminals, password protection, restricting access, secure storage of paper records, and using unique IDs for virtual terminals.
  • SAQ P2PE: Emphasizes the integrity and security of P2PE devices, secure shipping and receiving, and maintaining a device inventory.
  • SAQ D: Requires comprehensive training on all 12 PCI DSS requirements, with emphasis on handling stored data, access management based on need-to-know, and data retention/disposal.

Part 5: Reporting and Resources

Next steps for merchants

Merchants should identify their SAQ and level, complete the relevant SAQ and/or Attestation of Compliance (AOC)/ Report on Compliance (ROC), conduct quarterly network scans if required by an Approved Scanning Vendor (ASV), conduct annual Penetration Tests.

Part 6: PCI DSS Compliance Best Practices

Key practices include annual staff training, understanding the scope of your environment, ensuring third-party vendor compliance, continuous monitoring, protecting data during transmission, documenting policies and procedures, and having an Incident Response Plan.

Steps to achieve and maintain compliance

  1. Determine your merchant level: Identify your transaction volume and confirm with your bank.
  2. Determine your SAQ: Select the SAQ based on your payment environment.
  3. Assess your environment: Review systems against SAQ requirements.
  4. Perform scans (if applicable): Perform Quarterly ASV scans, and Annual Penetration Tests.
  5. Complete the AOC: Fill out the Attestation of Compliance.
  6. Submit documentation: Provide the completed SAQ, AOC, and scan reports.
  7. Maintain compliance continuously: PCI DSS compliance is an ongoing effort. Important resources Key resources include the PCI Security Standards Council for official documents and guidance, the merchant's acquiring bank for specific requirements, SAQ requirements, and Approved Scanning Vendors listed on the PCI SSC website.