1. How does card payment data flow through your business?
2. Which best describes you?
3. Roughly how many card transactions per year?
4. Do you use a PCI-compliant payment gateway / processor?
How PCI DSS scope works
Scope is everything
Your PCI DSS effort and cost are driven almost entirely by how much of your environment touches cardholder data. Get scoping right first.
SAQ vs ROC
Smaller/outsourced merchants often validate with a Self-Assessment Questionnaire (SAQ); Level 1 merchants and most service providers need a QSA-led Report on Compliance (ROC).
Reduce, don’t just comply
Tokenisation, segmentation and outsourcing card capture can drop you from a heavy SAQ D to a light SAQ A — less cost, less risk.
