Read frequently asked questions to learn more.
Understand the Validation Requirements for Merchants
Onsite or Self-Assessment
A detailed assessment performed by a PCI SSC certified Qualified Security Assessor (QSA) or by a certified Internal Security Assessor (ISA). The assessment validates to the acquirer that the organization is handling card data in accordance with the Payment Card Industry Data Security Standards (PCI DSS).
Applies to: Level 1 and 2 Merchants
Self-Assessment Questionnaire (SAQ)
Validation tool primarily used by merchants and service providers not required to undergo an onsite assessment in self-evaluating their compliance with the PCI DSS.
Applies to: Levels 2, 3 and 4 Merchants
External Vulnerability Scan
Vulnerability Scanning performed by a PCI SSC Approved Scanning Vendor (ASV) of all Internet–facing system components that are a part of, or provide a path to, the cardholder data environment.
Applies to: All Merchants (as applicable)