PCI Security

Cardholder Data Security

The security of cardholder data affects everybody from customers to merchants to financial institutions. Taking steps to secure cardholder data can help preserve customer trust, mitigate risk of loss, and benefit your organization in the long term.

Maintaining payment security is required for all companies (including merchants and their suppliers) that store, process or transmit cardholder data. Guidelines for maintaining payment security are provided in the PCI Data Security Standards (PCI DSS), which sets the technical requirements for organizations accepting or processing payment transactions. The Council has also published a Glossary to help with some of the confusing language.

Self-Assessment Questionnaire (SAQ)

Most small merchants can use a self-validation tool to assess their level of cardholder data security. There are 8 different kinds of Self-Assessment Questionnaires (SAQ), each designed for specific merchant environments. Only you can determine which SAQ is right for your company.

Since most PacNet Clients outsource most or all of their card functions, they are eligible for SAQ A or SAQ A-EP. Those who maintain control over collecting, transmitting or storing card data will need to complete SAQ D. SAQ D is admittedly a challenge, so don’t hesitate to ask us about ways to reduce your scope for PCI compliance.

There are two components to the Self-Assessment Questionnaire (SAQ)


A set of questions relating to each of the applicable PCI Data Security Standard requirements.


An attestation that you are eligible to perform, and have performed, the appropriate SAQ. The attestation form will be packaged with the questionnaire that you select.

Use our helpful tool to determine which SAQ applies to your business.


Which SAQ is right for me?

Need Help completing the forms?


SAQ A is appropriate for all card-not-present merchants (e-commerce or mail order/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers. No electronic storage, processing, or transmission of any cardholder data takes place on the merchant’s systems or premises.


SAQ A-EP is appropriate for e-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website that doesn’t directly receive cardholder data, but that can impact the security of the payment transaction. For example, if information is passed through your site using Java Script, then you are eligible for SAQ A-EP. No electronic storage, processing, or transmission of any cardholder data takes place on the merchant’s systems or premises.


SAQ D applies to all card-not-present merchants that directly store, manage, process or transmit cardholder data on their systems or premises as part of the payment process, and all merchants who do not meet the criteria for any of the other SAQs. SAQ D would also be applicable to MOTO merchants who upload batches of card information to the Raven Payments Engine using Raven Online.

As SAQ D covers the full set of over 200 requirements, it is recommended to first evaluate whether it is possible to reduce your PCI scope in order to qualify for another SAQ. Please contact us if you would like to discuss ways to reduce your scope for PCI compliance.

PCI Security at PacNet Services

PacNet Services is a PCI-compliant provider. All PacNet payment information is passed through Raven, a secure payments engine.

Raven is managed by DeepCove Labs and has been audited by a PCI-certified auditor. Raven has been certified as a PCI Level 1 Service Provider, which is the highest level of certification available.