All merchants should complete the designated self-assessment for their merchant. Completion of the appropriate self-assessment ensures that you fully understand your processes and operations, that you are educated and are held accountable concerning PCI policy and procedures, and that you recognize and remediate any security flaws.

PCI Data Security Standards Overview 

The Payment Card Industry (PCI) Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. 

PCI Data Security Standard - High Level Overview 

  1. Build and Maintain a Secure Network 

    1. Install and maintain a firewall configuration to protect data 

    2. Do not use vendor-supplied defaults for system passwords and other security parameters 

  2. Protect Cardholder Data 

    1. Protect stored cardholder data 

    2. Encrypt transmission of cardholder data across open, public networks 

  3. Maintain a Vulnerability Management Program 

    1. Use and regularly update anti-virus software or programs 

    2. Develop and maintain secure systems and applications 

  4. Implement Strong Access Control Measures 

    1. Restrict access to cardholder data by business need to know 

    2. Assign a unique ID to each person with computer access 

    3. Restrict physical access to cardholder data 

  5. Regularly Monitor and Test Networks 

    1. Track and monitor all access to network resources and cardholder data 

    2. Regularly test security systems and processes 

  6. Maintain an Information Security Policy 

    1. Maintain a policy that addresses information security for all personnel 

PCI DSS applies wherever account data is stored, processed, or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data, as follows: 

Cardholder Data Includes 

Sensitive Authentication Data Includes 

Primary Account Number (PAN) 

Full magnetic stripe data or equivalent on a chip 

Cardholder Name 

CAV2 / CVC2 / CVV2 / CID 

Expiration Date 

PINs / PIN blocks 

Service Code 

  

The next table illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each element is permitted or prohibited, and whether each data element must be protected. This table is not exhaustive but is presented to illustrate the different types of requirements that apply to each data element. 

  

  

Data Element 

Storage Permitted 

Render Stored Account Data Unreadable per Requirement 3.4 

Account Data 

Cardholder Data 

Primary Account Number (PAN) 

Yes 

Yes 

Cardholder Name 

Yes 

No 

Service Code 

Yes 

No 

Expiration date 

Yes 

No 

Sensitive Authentication Data 

Full Magnetic Stripe Data 

No 

Cannot Store 

CAV2 / CVC2 / CVV2 / CID 

No 

Cannot Store 

PIN / PIN Block 

No 

Cannot Store 

Payment Card Policies 

Merchants are required to follow certain policies on payment card use. Please review these materials to ensure compliance with the policies. 

Merchant Policies Templates (Version 4.0)

All merchants must select the correct template, update the template, save and include with their Merchant Manual. These templates will open in a new window. 

  • - All credit card processing is outsourced. - All credit card processing is outsourced. 

  • - Merchant only processes payments using a dial-up (copper phone line or cellular) terminal. 

  • - Merchant only processes payments using an IP terminal. 

  • - Merchant only processes payments using a web-based (virtual terminal) and does not store cardholder data electronically. 

  • - Merchant only processes payments using systems connected to the internet and NO electronic cardholder data storage. 

  • - Merchant stores electronic cardholder data. 

  • - Merchants who only process payments using hardware payment terminals included in a validated and PCI SSC-listed PCI point-to-point encryption (P2PE) solution. 

  • - Merchants who are e-commerce merchants who are not using URL redirection or iFrame, but instead use Direct post or JavaScript to interact with the gateway.  

  • - Merchants who use software-based PIN entry on COTS (SPoC) solutions. 

Merchant Specific Policies & Procedures Template 

Description 

Operational Policies & Procedures Template 

Description 

Category 1 

All credit card processing is outsourced (SAQ A). 

Category 1 

All credit card processing is outsourced (SAQ A). 

Category 2 

Merchant only processes payments using a dial-up (copper phone line or cellular) terminal (SAQ B). 

Category 2 

Merchant only processes payments using a dial-up (copper phone line or cellular) terminal (SAQ B). 

Category 2 and 1 

Merchant Business Unit processes payments by dial up or cellular terminal and accepts payments by outsourced e-commerce website (SAQ A & SAQ B). 

Category 2 and 1 

Merchant Business Unit processes payments by dial up or cellular terminal and accepts payments by outsourced e-commerce website (SAQ A & SAQ B). 

Category 3 and 1 

"Ticketmaster Lane 3000" + Ticketmaster e-commerce (SAQ A & SAQ B-IP) 

Category 3 and 1 

"Ticketmaster Lane 3000" + Ticketmaster e-commerce (SAQ A & SAQ B-IP) 

Category 3, 2 and 1 

"Ticketmaster Lane 3000," Vx520 and/or cellular terminal, and Ticketmaster e-commerce (SAQ A, SAQ B, & SAQ B-IP) 

Category 3, 2, and 1 

"Ticketmaster Lane 3000," Vx520 and/or cellular terminal, and Ticketmaster e-commerce (SAQ A, SAQ B, & SAQ B-IP) 

Category P2PE 

Merchant only processes payments using a validated P2PE solution or is using an E2EE solution that was audited by our QSA and scope reduction was granted by our acquiring bank (SAQ P2PE-HW). 

Category P2PE 

Merchant only processes payments using a validated P2PE solution or is using an E2EE solution that was audited by our QSA and scope reduction was granted by our acquiring bank (SAQ P2PE-HW). 

Category P2PE and 1 

Merchant Business Unit processes payments using validated P2PE solution and is also processing payments by outsourced e-commerce website (SAQ A & SAQ P2PE-HW). 

Category P2PE and 1 

Merchant Business Unit processes payments using validated P2PE solution and is also processing payments by outsourced e-commerce website (SAQ A & SAQ P2PE-HW). 

Category P2PE, 2, and 1 

Merchant Business Unit processes payments using validated P2PE solution, by dial up or cellular terminal, and also by outsourced e-commerce website (SAQ A, SAQ B, & SAQ P2PE-HW). 

Category P2PE, 2, and 1 

Merchant Business Unit processes payments using validated P2PE solution, by dial up or cellular terminal, and also by outsourced e-commerce website (SAQ A, SAQ B, & SAQ P2PE-HW). 

Merchant Manuals

Section 1 –

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 –

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 - PAN Scan Results

Section 7 – Training log  

SAQ A Merchant Manual Yearly Upkeep Steps

  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ A annually.
  4. Make sure 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.  
  6. Enroll staff, complete the annual online security training, and update your training log. 

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram  

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Terminal Security Section

  • Capture Device Inventory Log
  • Cellular Terminal Log
  • Capture Device Periodic Inspection Procedures
  • Capture Device Periodic Inspection Log
  • Skimming/Tampering Training

Section 8 – Training log

SAQ B Merchant Manual Yearly Upkeep Steps

  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ B annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Perform your periodic physical inspections of your terminal(s).  

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram  

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Terminal Security Section

  • Capture Device Inventory Log
  • Cellular Terminal Log
  • Capture Device Periodic Inspection Procedures
  • Capture Device Periodic Inspection Log
  • Skimming/Tampering Training

Section 9 – Training log

Section 10 - PIM (P2PE Installation Manual)  

SAQ P2PE Merchant Manual Yearly Upkeep Steps

  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ P2PE annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Perform your periodic physical inspections of your terminal(s).
  8. Review your PIM (P2PE Installation Manual) annually to ensure it is up to date.

Forms