PCI DSS QSA Questions and
Answers
Who is Acquirer - answer Also referred to as "merchant bank," "acquiring bank," or
"acquiring financial institution". Entity, typically a financial institution, that processes
payment card transactions for merchants and is defined by a payment brand as an
acquirer. Acquirers are subject to payment brand rules and procedures regarding
merchant compliance
AOC - answer Acronym for "attestation of compliance". The AOC is a form for
merchants and service providers to attest to the results of a PCI DSS assessment, as
documented in the Self-Assessment Questionnaire or Report on Compliance
ASV - answer Acronym for "approved Scanning Vendor". Company approved by the
PCI SSC to conduct external vulnerability scanning services.
What is Authorization? - answer Cardholder swipes card at merchant, acquirer asks
payment brand network to determine issuer, issuer approves purchase, payment
network sends the approval to acquirer, acquirer sends approval to merchant, merchant
displays "approved" and completes purchase.
What is Settlement? - answer Issuer determines acquirer via payment network,
issuer sends payment to acquirer, acquirer pay merchant for cardholder's purchases,
issuer bills the cardholder.
Who is Service Provider? - answer A business that is not a payment brand, directly
involved in the processing, storage or transmission of cardholder data on behalf of
another entity.
SAQ A - answer Card not Present (e commerce or MO/TO) merchants, all
cardholder data functions outsourced to compliant service providers.
SAQ A-EP - answer Applies to E-Commerce merchants who outsoruce all payment
processing to PCI DSS validated third parties, and who have website(s) that doesn't
directly receive cardholder data but that can impact the security of the payment
transaction. No electronic storage, processing or transmission of any cardholder data on
the merchants systems and premises.
SAQ B - answer Applies to Imprint only merchants with no electronic cardholder data
storage or standalone, dial out terminal merchants with no electronic cardholder data
storage.
, SAQ B-IP - answer Used for merchants who process payments via standalone PTS-
approved point-of-interaction (POI) devices with an IP connection to the payment
processor with no electronic cardholder data storage.
SAQ C-VT - answer Merchants using only web based virtual payment terminals, with
no electronic cardholder data storage.
SAQ C - answer Applies to merchants with segmented payment application systems
connected to the internet, with no electronic cardholder data storage.
SAQ P2PE - answer Merchants who have implemented a validated P2PE solution
taht is listed on the website, with no electronic cardholder data storage.
SAQ D - answer Applies to any merchants who do not meet the criteria for other
SAQs, as well as all service providers.
Truncation - answer Method of rendering the full PAN unreadable by permanently
removing a segment of PAN data
QIR - answer Qualified Integrator or Reseller
Network Segmentation - answer Isolates system components that store, process, or
transmit cardholder data from system components that store, process, or transmit
cardholder data from systems that do not.
Merchant - answer Defined as any entity that accepts payment cards bearing the
logos of any of the five members of PCISSC as payment for goods or services.
Masking - answer A method of concealing a segment of data when displayed or
printed
Issuer - answer Entity that issues payment cards or performs, facilitates, or supports
issuing services including but not limited to issuing banks and issuing processors.
Card Skimmer - answer A physical device, often attached to legitimate card-reading
device, designed to illegitimately capture and/or store the information from a payment
card.
How many characters are on Track 2 - answer Up to 40
How many characters are on Track 1 - answer Up to 79
Requirement 1 - answer Install and maintain a firewall configuration to protect
cardholder data
Answers
Who is Acquirer - answer Also referred to as "merchant bank," "acquiring bank," or
"acquiring financial institution". Entity, typically a financial institution, that processes
payment card transactions for merchants and is defined by a payment brand as an
acquirer. Acquirers are subject to payment brand rules and procedures regarding
merchant compliance
AOC - answer Acronym for "attestation of compliance". The AOC is a form for
merchants and service providers to attest to the results of a PCI DSS assessment, as
documented in the Self-Assessment Questionnaire or Report on Compliance
ASV - answer Acronym for "approved Scanning Vendor". Company approved by the
PCI SSC to conduct external vulnerability scanning services.
What is Authorization? - answer Cardholder swipes card at merchant, acquirer asks
payment brand network to determine issuer, issuer approves purchase, payment
network sends the approval to acquirer, acquirer sends approval to merchant, merchant
displays "approved" and completes purchase.
What is Settlement? - answer Issuer determines acquirer via payment network,
issuer sends payment to acquirer, acquirer pay merchant for cardholder's purchases,
issuer bills the cardholder.
Who is Service Provider? - answer A business that is not a payment brand, directly
involved in the processing, storage or transmission of cardholder data on behalf of
another entity.
SAQ A - answer Card not Present (e commerce or MO/TO) merchants, all
cardholder data functions outsourced to compliant service providers.
SAQ A-EP - answer Applies to E-Commerce merchants who outsoruce all payment
processing to PCI DSS validated third parties, and who have website(s) that doesn't
directly receive cardholder data but that can impact the security of the payment
transaction. No electronic storage, processing or transmission of any cardholder data on
the merchants systems and premises.
SAQ B - answer Applies to Imprint only merchants with no electronic cardholder data
storage or standalone, dial out terminal merchants with no electronic cardholder data
storage.
, SAQ B-IP - answer Used for merchants who process payments via standalone PTS-
approved point-of-interaction (POI) devices with an IP connection to the payment
processor with no electronic cardholder data storage.
SAQ C-VT - answer Merchants using only web based virtual payment terminals, with
no electronic cardholder data storage.
SAQ C - answer Applies to merchants with segmented payment application systems
connected to the internet, with no electronic cardholder data storage.
SAQ P2PE - answer Merchants who have implemented a validated P2PE solution
taht is listed on the website, with no electronic cardholder data storage.
SAQ D - answer Applies to any merchants who do not meet the criteria for other
SAQs, as well as all service providers.
Truncation - answer Method of rendering the full PAN unreadable by permanently
removing a segment of PAN data
QIR - answer Qualified Integrator or Reseller
Network Segmentation - answer Isolates system components that store, process, or
transmit cardholder data from system components that store, process, or transmit
cardholder data from systems that do not.
Merchant - answer Defined as any entity that accepts payment cards bearing the
logos of any of the five members of PCISSC as payment for goods or services.
Masking - answer A method of concealing a segment of data when displayed or
printed
Issuer - answer Entity that issues payment cards or performs, facilitates, or supports
issuing services including but not limited to issuing banks and issuing processors.
Card Skimmer - answer A physical device, often attached to legitimate card-reading
device, designed to illegitimately capture and/or store the information from a payment
card.
How many characters are on Track 2 - answer Up to 40
How many characters are on Track 1 - answer Up to 79
Requirement 1 - answer Install and maintain a firewall configuration to protect
cardholder data
