Free PCI scope estimator — SAQ level + attack surface

(function(){ var qs = [ {id:"q1", text:"Do you use a hosted/redirect payment page (e.g., Stripe Checkout, redirect to processor)?", opts:[["yes","Yes"],["no","No"]]}, {id:"q2", text:"Does your checkout iframe the processor's form (e.g., Stripe Elements, Braintree Hosted Fields)?", opts:[["yes","Yes"],["no","No"]]}, {id:"q3", text:"Do you collect full card numbers on your own server or frontend?", opts:[["yes","Yes"],["no","No"]]}, {id:"q4", text:"Do you store card numbers (even encrypted)?", opts:[["yes","Yes"],["no","No"]]}, {id:"q5", text:"Do you take phone or mail orders where staff enter card numbers?", opts:[["yes","Yes"],["no","No"]]}, {id:"q6", text:"Do you have physical POS terminals processing cards?", opts:[["yes","Yes"],["no","No"]]}, {id:"q7", text:"Does a third-party service (e.g., tokenization provider) touch cards on your behalf?", opts:[["yes","Yes"],["no","No"]]}, {id:"q8", text:"Do you process 6M+ Visa/MC transactions annually?", opts:[["yes","Yes"],["no","No"]]} ]; var c = document.getElementById("pci-qs"); qs.forEach(function(q){ var div = document.createElement("div"); div.style.cssText = "margin-bottom:12px;"; var label = ''; var opts = q.opts.map(function(o){ return ' '+o[1]+''; }).join(""); div.innerHTML = label + opts; c.appendChild(div); }); function v(id){ return document.querySelector('input[name="'+id+'"]:checked').value; } document.getElementById("pci-calc").addEventListener("click", function(){ var hostRedirect = v("q1") === "yes"; var iframe = v("q2") === "yes"; var touchCards = v("q3") === "yes"; var stores = v("q4") === "yes"; var moto = v("q5") === "yes"; var pos = v("q6") === "yes"; var thirdParty = v("q7") === "yes"; var largeVol = v("q8") === "yes"; var saq, controls, descr, tier, color; if (touchCards || stores){ saq = "SAQ D — Merchants"; controls = "350+ controls"; descr = "Full scope. All cardholder data handling subject to PCI. Requires QSA assessment at Level 1."; tier = "HIGH"; color = "#ff5a5a"; } else if (moto){ saq = "SAQ C / SAQ B-IP / SAQ D"; controls = "80-350 controls"; descr = "MOTO + connected systems pulls you into SAQ C or D depending on setup."; tier = "MEDIUM-HIGH"; color = "#ffa940"; } else if (pos){ saq = "SAQ B / SAQ B-IP"; controls = "40-80 controls"; descr = "Physical POS scope only. Segregate the POS network from corporate LAN."; tier = "MEDIUM"; color = "#ffd666"; } else if (iframe && !hostRedirect){ saq = "SAQ A-EP"; controls = "191 controls"; descr = "Hosted fields still run JS on your page. Your site is in scope for protecting the iframe integrity (CSP, SRI, TLS)."; tier = "MEDIUM"; color = "#ffd666"; } else if (hostRedirect){ saq = "SAQ A"; controls = "22 controls"; descr = "Smallest possible scope. Checkout redirects or fully-hosted iframe. Only basic network, TLS, and vendor-management controls."; tier = "LOW"; color = "#52c41a"; } else { saq = "SAQ D"; controls = "350+ controls"; descr = "Default scope when other criteria unclear. Full assessment required."; tier = "HIGH"; color = "#ff5a5a"; } if (largeVol){ saq += " (Level 1 — QSA required)"; descr += " Level 1 volume mandates an annual QSA-led assessment."; } var reductions = []; if (touchCards) reductions.push("Move checkout to a hosted or iframe solution to drop SAQ D → SAQ A/A-EP."); if (stores) reductions.push("Stop storing PANs. Use processor tokenization; you can keep tokens on your infra."); if (moto) reductions.push("Move MOTO to a virtual terminal with PCI-validated point-to-point encryption."); if (!hostRedirect && !iframe) reductions.push("Move to hosted checkout or iframe fields first — biggest single scope reduction."); if (iframe && !hostRedirect) reductions.push("Add CSP + SRI + TLS 1.3 enforcement to your iframe-hosting page to satisfy SAQ A-EP efficiently."); if (reductions.length === 0) reductions.push("You're already near minimum. Maintain vendor documentation and quarterly vuln scans."); var html = ''; html += ''; html += ''; document.getElementById("pci-result").innerHTML = html; }); document.getElementById("pci-calc").click(); })();

What PCI scope actually means

PCI DSS (Payment Card Industry Data Security Standard) is the set of security controls that every merchant accepting card payments is contractually required to comply with. The standard runs 300+ pages; the number of controls you're actually responsible for depends on your scope. Scope is defined by how cardholder data flows through your systems.

If a full card number ever touches your server, you're in "SAQ D" scope — the largest, with 350+ controls covering everything from network segmentation to background checks on employees. If you redirect to a hosted payment page and never touch card data, you're in "SAQ A" scope — 22 controls, mostly vendor management and TLS.

The cost difference is enormous. SAQ A can be self-assessed in a day. SAQ D requires a Qualified Security Assessor (QSA) annual engagement costing $25k-150k, quarterly vulnerability scans, penetration tests, and a full information security program. For a $2M/yr merchant, SAQ D overhead is 3-7% of revenue. For an SAQ A merchant it's under 0.2%.

The SAQ levels

SAQ A — 22 controls

Entirely outsourced checkout. You redirect customers to a payment page hosted by your processor (Stripe Checkout, Braintree Hosted, PayPal redirect). Card data never touches your server or browser. Lowest scope.

SAQ A-EP — 191 controls

Iframe or hosted fields. The payment form renders inside your page via an iframe provided by the processor (Stripe Elements, Braintree Hosted Fields). Cards still don't touch your server, but your page hosts the iframe, which means you need controls around the parent page's integrity: Content Security Policy, Subresource Integrity, TLS, change management.

SAQ B / SAQ B-IP — 40-80 controls

Physical POS terminals only. Standalone dial-up terminals (SAQ B) or IP-connected terminals (SAQ B-IP) that encrypt at swipe. No ecommerce component. Scope is the terminals and the network segment they sit on.

SAQ C / SAQ C-VT — 80-160 controls

Payment application on your computer or virtual terminal. You enter card numbers into a software application. Scope includes the workstation, the network it's on, and the application.

SAQ D — 350+ controls

Default scope when no other SAQ applies. Anyone who touches raw card data, stores PANs, or has complex hybrid environments. Requires Level 1 QSA assessment above 6M transactions/year.

Volume tiers (Levels)

PCI Levels are separate from SAQ types. They're a volume-based classification that determines assessment rigor.

• Level 1: 6M+ Visa/MC transactions/yr. Annual QSA-led Report on Compliance (RoC).
• Level 2: 1M-6M transactions/yr. Annual SAQ plus ASV scans.
• Level 3: 20k-1M ecommerce transactions/yr. Annual SAQ plus ASV scans.
• Level 4: Under 20k ecommerce transactions/yr. Annual SAQ, ASV scans typically required by acquirer.

How the estimator decides

The first two questions test whether you've outsourced checkout. A "yes" to hosted redirect puts you in SAQ A territory. A "yes" to iframe fields pushes you to SAQ A-EP. A "yes" to raw card handling or storage jumps to SAQ D.

MOTO (mail-order/telephone-order) drags you into SAQ C or D regardless of ecommerce design — because staff are entering card data into a connected system. POS pulls you into SAQ B territory.

Third-party tokenization doesn't help you avoid scope if you still touch cards before tokenization. Tokenization via the processor's iframe is SAQ A-EP; tokenization via your own server is still SAQ D.

The reduction path — SAQ D to SAQ A

Step 1: Remove PAN storage. If you're storing card numbers (even encrypted), stop. Replace with processor tokens. Processors all support token-based repeat billing.

Step 2: Remove PAN handling. If you're accepting card data in your own forms, switch to iframe fields or hosted redirect. Takes 1-4 weeks of engineering work; immediately drops you from SAQ D (350 controls) to SAQ A-EP (191) or SAQ A (22).

Step 3: Isolate MOTO. If you take phone orders, use a separate virtual terminal with P2PE encryption. Segment that workstation's network. Keep MOTO out of the main system scope.

Step 4: Document third-party vendors. Every vendor touching card data needs an Attestation of Compliance (AoC) on file. Maintain vendor documentation quarterly.

Multi-brand PCI consolidation

For 12-brand operators, PCI scope per-brand multiplies overhead. Running 12 separate ecommerce environments means 12 SAQs, 12 vulnerability scans, 12 vendor docs. Consolidating on a parent merchant account with shared checkout infrastructure collapses this to one SAQ at the parent level. Operators on multiflow's parent-MID model run one SAQ A for the whole portfolio.

FAQ

Does PCI apply if I only use Stripe?

Yes. Stripe reduces your scope to SAQ A (redirect) or SAQ A-EP (Elements) but does not eliminate it. You're still responsible for your portion.

What if I fail a PCI assessment?

Acquirer imposes monthly "non-compliance" fees ($15-50/mo) until remediated. Continued failure can trigger account termination and a Code 12 MATCH placement.

Is SAQ self-assessment valid?

Yes for SAQ A, A-EP, B, B-IP, C, C-VT below Level 1. Level 1 requires QSA engagement regardless of SAQ type.

Do I need a penetration test?

Quarterly ASV scans for SAQ A-EP and higher. Annual penetration test for SAQ D / Level 1.

Can I use one PCI certification across multiple brands?

If brands share the same checkout infrastructure and legal entity, yes. Separate legal entities need separate attestations.