We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Free interactive tool

Are you in scope for PCI DSS?

Answer four quick questions to get an indicative read on your PCI DSS v4.0 scope, your likely SAQ type or merchant level, and the fastest path to compliance.

1. How does card payment data flow through your business?
2. Which best describes you?
3. Roughly how many card transactions per year?
4. Do you use a PCI-compliant payment gateway / processor?

How PCI DSS scope works

Scope is everything

Your PCI DSS effort and cost are driven almost entirely by how much of your environment touches cardholder data. Get scoping right first.

SAQ vs ROC

Smaller/outsourced merchants often validate with a Self-Assessment Questionnaire (SAQ); Level 1 merchants and most service providers need a QSA-led Report on Compliance (ROC).

Reduce, don’t just comply

Tokenisation, segmentation and outsourcing card capture can drop you from a heavy SAQ D to a light SAQ A — less cost, less risk.

Explore our PCI DSS QSA services →