Security • Compliance • Scope Reduction

PCI Compliance (PCI DSS v4.0.1)

Protect cardholder data, keep audits simple, and reduce your PCI scope using the Selective Pay Gateway. This page explains what PCI DSS is, which SAQ fits common setups, and what we configure to help you comply.

Talk to Selective PayJump to FAQs

What is PCI DSS?

Overview

  • PCI DSS is the global security standard for organizations that store, process, or transmit payment card data.
  • Version 4.0.1 is the current active standard. Version 3.2.1 retired on March 31, 2024; future‑dated v4.0 requirements became active on March 31, 2025.
  • Compliance is required by card brands and your acquiring bank. It’s about controls (what you do) and validation (how you prove it).

Your Role vs. Ours

  • You (Merchant): implement controls in your environment and complete the appropriate SAQ and Attestation of Compliance.
  • Selective Pay: provides a PCI‑DSS‑validated gateway/service provider and features (tokenization, hosted pages, MFA, logging) that keep card data off your systems.
  • We’ll share our gateway’s PCI documentation (AOC/Responsibility Matrix) upon request and help you choose the right SAQ.

Scope Reduction with Selective Pay

Hosted Pages & Links

Move card entry to Selective Pay hosted pages. Your server never sees PAN or CVV. Ideal for SAQ A/A‑EP.

Virtual Terminal (C‑VT)

Manually key single transactions. Card data is tokenized and never stored on your systems.

Tokenization & Vault

Store tokens, not card numbers. Use card‑on‑file for recurring and keep PAN out of your databases.

MFA, Roles & IP Allowlists

Move card entry to Selective Pay hosted pages. Your server never sees PAN or CVV. Ideal for SAQ A/A‑EP.

TLS & HSTS Everywhere

Strong encryption (TLS 1.2+) and browser headers on hosted pages protect data in transit.

3‑D Secure (Optional)

Add cardholder authentication for e‑commerce to reduce fraud/chargebacks (brand programs vary).

Which SAQ Do I Need? (Quick Guide)

Scenario Likely SAQ Key Notes
Hosted Payment Links / Hosted Checkout (no card data touches your servers) SAQ A Fully outsourced e‑commerce. Use Selective Pay hosted pages/iFrames; enable 3‑D Secure where appropriate.
Your website controls the payment page (scripts/forms) but card data doesn’t pass through your server SAQ A‑EP Hardened web/app security still required (change control, patching, WAF, etc.).
Back‑office phone/mail orders keyed into a browser VT SAQ C‑VT Single‑transaction, manual key entry; no electronic storage of card data; secured workstations.
Stand‑alone IP terminals (no storage) without validated P2PE SAQ B‑IP Terminals are segmented and locked down; service provider guidance followed.
Validated PCI P2PE solution (card present) SAQ P2PE P2PE solution listing required; reduced scope for merchant environment.
Storing, processing, or transmitting card data in your systems; complex environments SAQ D Full set of PCI DSS requirements; QSA involvement recommended.

Final SAQ depends on your exact architecture and how payments are integrated. We’ll help validate assumptions and provide a responsibility matrix.

Merchant Checklist (v4.0.1)

Annual / Ongoing

    • Complete the correct SAQ + Attestation of Compliance (AOC).
    • Run ASV scans on any Internet‑facing systems in scope (A‑EP, C, B‑IP, D).
    • Patch and harden in‑scope systems; maintain anti‑malware and EDR where applicable.
    • Conduct security awareness training and phishing practice for staff.
    • Review and test your incident response plan; keep a breach runbook.
    • Keep policies, risk assessments, and vendor reviews up to date.

Daily / Quarterly

  • Inspect devices for tampering; control physical access to card‑present hardware.
  • Monitor logs and alerts (gateway and any in‑scope systems).
  • Quarterly vulnerability scans; annual (and after major change) penetration tests if required by your SAQ.
  • Rotate passwords/secrets per policy; use MFA for all admin access.
  • Keep call recordings/notes free of PAN/CVV (pause recording when taking cards by phone).

The 12 PCI DSS Requirements (Plain English)

1) Network Security

Firewalls/segmentation, secure configurations, and allowed services only.

2) Secure Configurations

Harden systems, change vendor defaults, disable unnecessary accounts.

3) Protect Stored Data

Don’t store PAN/CVV if you don’t have to; if stored, encrypt and limit access.

4) Encrypt in Transit

Strong cryptography for all card data sent over open networks.

5) Malware Protection

Anti‑malware/EDR where applicable; monitor and respond.

6) Secure Development & Patching

SDLC, code reviews, vulnerability management, prompt patching.

7) Limit Access

Least privilege; role‑based access; need‑to‑know only.

8) Strong Authentication

Unique IDs, MFA for admin access, secure password/passphrase policies.

9) Physical Security

Protect devices and media; visitor controls; tamper checks.

10) Logging & Monitoring

Track access and changes; retain logs; review alerts.

11) Testing

Scans, penetration testing, change‑driven testing, inventory of in‑scope assets.

12) Policies & Governance

Documented policies, risk assessments, vendor management, incident response.

Get Compliant with Selective Pay

What we deliver

  • Hosted checkout & payment links (SAQ A/A‑EP)
  • Virtual Terminal (SAQ C‑VT)
  • Tokenization & customer vault
  • MFA, roles, IP allowlists, audit logs
  • Guidance on SAQ, ASV scanning, and scope

Next steps

  • 15‑minute consult to map your flows → SAQ recommendation
  • Gateway configuration & roll‑out checklist
  • Provide requested compliance docs (AOC, responsibility matrix)
Talk to Selective PayJump to FAQs