PCI DSS QSA Consultancy

ProCheckUp work with merchants and vendors to ensure they are compliant with PCI Security Council's standard. ProCheckUp are Qualified Security Assessors accredited by the PCI Security Council. To confirm ProCheckUp's status as a QSA with the PCI Security council click here.

The level of assessment performed will depend upon whether you’re a service provider or merchant and at which level. Based on this you will need to either undergo a self-assessment questionnaire (SAQ) or a full Report on Compliance (ROC).

Merchants are the most common type of organization affected by PCI compliance. Merchants are organizations that process card transactions, and can range from high-street stores and energy providers to online shops and charities.

Service providers
Service providers are defined as any organization that stores, processes, or transmits cardholder data on behalf of another. This also includes companies that could impact the security of that cardholder data. This covers various types of organizations, including:

  • Hosting providers
  • Call centers
  • Network support
  • Payment processing
  • Media storage centers
  • Data destruction

Some organizations can fall into both categories, handling card payments for themselves and also on behalf of other companies.

Which level do you need to be assessed against?
The first thing to establish as an organization is what level you are under PCI DSS guidelines. This level is normally set based on the number of transactions made per year. However it can be increased if you’re considered to be a high risk organization (as a result of past breaches).

As a merchant you would normally receive a letter from your merchant acquirer, informing of the number of transactions and establishing which level of PCI compliance you need to attain.

For merchants, there are four levels, with Level 1 being the highest and Level 4 the lowest. The guidance on how to determine each level is set by the card brands. However, ultimately it’s the merchant acquirer (also known as the acquiring bank) who sets this level. If you’re in any doubt, please contact your acquirer.

Please see the below table or go to our PCI FAQ to find out more information about PCI.

Merchant level Criteria Validation

Any merchant processing over 6 million VISA or MasterCard transactions a year

Any compromised merchant

• Annual audit and Report on Compliance (RoC)
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV


1-6 million transactions


• Self-Assessment Questionnaire (SAQ) or annual audit and RoC
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV


20,000-1 million e-commerce transactions

• Self-Assessment Questionnaire (SAQ)
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV


<20,000 e-commerce transactions
<1 million otherwise

• Self-Assessment Questionnaire (SAQ) recommended
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV if applicable

For service providers, there are only two levels - Level 1 and Level 2. Unlike merchants, service providers must look at the aggregate number of transactions per year to determine which level they are.

Provider level Criteria Validation

300,000+ transactions annually

• Annual audit and Report on Compliance (RoC)
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV


<300,000 transactions annually

• Self-Assessment Questionnaire (SAQ-D)
• Quarterly external vulnerability scan by an ASV

One of the key differences between merchants and service providers is how they submit completed reports. Merchants submit their completed reports to their acquirer, whereas service providers must submit reports to the individual card brands (Visa, MasterCard, American Express, JCB, and Discover).

Compliance Validation
Both Level 1 merchants and service providers can only validate compliance with an independent assessment by a PCI QSA. Level 2 (and below) merchants and service providers may be able to complete an SAQ to validate compliance.

For merchants, there are multiple SAQs, each of which represents a subset of PCI requirements and can be completed if certain criteria are met. For service providers who wish to self-assess (and merchants who don’t meet the criteria for any other SAQs) SAQ D must be completed. SAQ D constitutes the full set of PCI requirements.

The proof of compliance validation is the Attestation of Compliance (AoC). Completed by an officer of the company responsible for compliance (typically the CFO or similar), this attestation certifies all of the relevant PCI requirements have been met. If the assessment that took place was an audit, this will also be countersigned by the lead QSA responsible for the assessment. 

Engagement Lifecycle

ProCheckUp's team of QSAs assists merchants or service providers in the following areas:

  • Initial scoping of requirements
  • Gap analysis
  • Consultancy services, as well as the final onsite PCI DSS audit

The QSA builds a relationship with each client and guides them step by step on their journey to compliance.

The PCI Data Security Standard is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including Visa, MasterCard, American Express, Discover Financial Services and JCB, in order to facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data.


Contact us to discuss your PCI DSS requirements with a QSA.

Need Help?

If you have any questions about cyber security or would like a free consultation, don't hesitate to give us a call!

+44 (0) 20 7612 7777

Our Services

Keep up to date!

Subscribe to our newsletter. Keep up to date with cyber security.