PCI Security Standards Council

What to Secure?

Focus on protecting cardholder data
under your control

You are responsible for protecting cardholder data at the point of sale, and as it flows into the payment system. The best step you can take is to not store any cardholder data. Compliance with the PCI standard includes protecting:

  • Card readers
  • Point of sale systems
  • Store networks & wireless access routers
  • Payment card data storage and transmission
  • Payment card data stored in paper-based records

Evaluate with a Self-Assessment Questionnaire

Most small merchants can use a self-validation tool to assess their security for cardholder data. The tool includes a short list of yes-or-no questions for compliance. Click on the Self-Assessment Questionnaire number that best describes how you accept payment cards.


How do you accept payment cards?


Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.


Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.


Merchants using only web-based virtual terminals, no electronic cardholder data storage.


Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.


All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

Click here – “Quick Guide” to the PCI Data Security Standard

PCI Security Standards Council Founders