PCI DSS 3.0 for Online Merchants

Posted on December 18, 2014 Ryan Daigle

Nothing strikes fear in the heart of online merchants quite like PCI DSS – the set of “technical and operational requirements designed to protect cardholder data” put forth by the credit card networks (Visa, MasterCard, etc…). If you accept credit cards online, even if you’re not storing or processing those cards yourself, you need to be aware of its requirements and prepared to invest some time into compliance.

The upgrade from v2.0 to PCI DSS 3.0 introduced some important changes, making now a good time to review your steps to compliance as well as highlight what’s changed. (In February 2017, the PCI Security Standards Council released an update to its best practices guidelines for securing e-commerce and PCI compliance, which you can read about here.)

pci dss 3.0 for online merchants

Do I have to get PCI certified?

If you accept credit cards from your customers then, yes[1].

Many gateways and online payment processing solutions will claim their drop-in credit card widgets exclude you from PCI compliance or make you PCI compliant. This is not true. Even if a third party is handling the collection, processing, and storage of protected cardholder data, you must still go through the PCI assessment process. What these type of solutions do, including Spreedly’s, is reduce your compliance burden. You still have to certify, but can often do so with much less effort than if you were processing and storing the card data yourself.

How do I get PCI certified?

PCI certification takes two forms: Self-assessment (i.e. do-it-yourself) or hiring a third party QSA (Qualified Security Assessor). Though there are obvious advantages to self-assessing, including effort and cost, your ability to self-asses is dependent on your annual transaction volume and is reflected in the resulting level of PCI certification (1-4) you attain.

The following table describes the relationship between your transaction volume, required assessment approach, and level of certification:

If you have… then you can… to achieve
less than 20,000 online transactions per year self-assess PCI Level 4 certification
between 20,000 and 1 million online transactions per year self-assess PCI Level 3 certification
between 1 million and 6 million online transactions per year self-assess PCI Level 2 certification
over 6 million online transactions per year hire an independent assessor (QSA) PCI Level 1 certification

Note: While PCI DSS outlines the requirements to become certified, there are subtle differences across payment networks (the table above was created from the Visa merchant guidelines). It is ultimately up to your merchant/acquiring bank to determine what is required for your compliance. Please be sure to check with them before beginning the compliance process.

How do I self-assess?

If you are processing less than 6 million online transactions per year it’s quite likely you can self-assess. This is a good thing, but you’re not out of the woods yet. Depending on your level of involvement in handling card data, you may still need to complete a lengthy questionnaire and perform an extensive internal review.

Self-assessment for online merchants usually occurs by filling out one of three self-assessment questionnaires (SAQs). Listed in increasing order of scope they are SAQ A, SAQ A-EP and SAQ D. By way of comparison, the SAQ A has fourteen questions listed while the SAQ A-EP has over one hundred across almost thirty pages. Assessing under SAQ A is, for obvious reasons, the goal of most online merchants.

So can you use the SAQ A? It depends on your technology and provider choices, both of which dictate how card data passes from the consumer, through (or around) you, and onto your gateway:

If your systems… then use
do not touch, process or store cardholder data, and do not serve any card collection forms SAQ A
do not touch, process or store cardholder data, but do serve card collection forms SAQ A-EP
do touch, process or store cardholder data SAQ D

SAQ A-EP is a new questionnaire, as of PCI DSS 3.0, and its distinction from SAQ A is a subtle but important one…


Prior to PCI DSS 3.0, online merchants that used Javascript libraries or transparent-redirect forms from PCI DSS compliant third-party service providers were able to self-assess using SAQ A. These two approaches let the merchant host the payment page, with the sensitive card data being passed directly from the user’s browser to the gateway, bypassing the merchant all together.

With Version 3 of PCI, however, online merchants can no longer even host the payment page if they wish to qualify for SAQ A. In order to qualify for SAQ A you must use a payment form that is hosted by and submits directly to the compliant third party. In pure browser technology terms this means that you must use an iFrame-delivered payment form or a hosted payment page from your payment processor[2].

Having a payment form that is served by and submitted to a compliant third party reduces the attack vectors by which a malicious party is able to gain access to a user’s entered credit card data. For instance, an attacker that gains access to your merchant systems can no longer compromise your payment page and siphon off card data before submitting it to the intended processor. The card payment form is protected from such intrusions by web browsers’ cross-domain security policies which limit the ability for pages on one domain to access the content of pages on another domain.

While there are always risks of compromise for any approach, PCI DSS has determined that an iFrame or hosted payment form is less susceptible than an in-merchant form.

Spreedly customers wishing to switch to an iFrame-based payment form can contact us to take part in our iFrame beta program.

Proof of compliance

Once you have self-assessed using the appropriate questionnaire you will need to fill out an attestation of compliance, or AOC, to formally declare your PCI compliance results. If you have gone through a review led by an independent QSA, you will be issued an AOC.

In addition to the AOC, which needs to be reviewed and re-issued on an annual basis, you will need to sign up for a quarterly security scan of your systems from an outside provider. Together with the AOC, the quarterly scan verifies that you are maintaining your PCI compliance. An example of both the AOC and scan can be found on Spreedly’s PCI page.


PCI is not for the feint of heart, but it can be managed. When evaluating your compliance, keep the following in mind:

  • What level of compliance you need is determined by your merchant bank, informed by the number of annual transactions you are processing.
  • Self-assessing is less costly and time consuming, but is only an option for online merchants seeking less than a PCI Level 1 certification.
  • If self-assessing, using a PCI compliant service provider that provides an iFrame or hosted payment page results in the least compliance burden.
  • An AOC, together with a quarterly scan, is your proof of PCI compliance.

Good luck out there!


Build PCI compliant web and mobile services that easily integrate to your preferred processing partners for seamless transacting.

Create a dev account

Sign up for blog post updates

Get notified about new Spreedly articles on PCI compliance, gateways, & more.