Merchants who store, process, or transmit cardholder data are subject to the PCI-DSS requirements. Transaction volume and payment acceptance method(s) dictate ROC or Self Assessment Questionnaire (SAQ) A-D applicability. A host of controls are applicable in ROCs and SAQs, including firewalls, SIEM, SAQ compliance assessments, ASV Vulnerability Scans, Penetration Testing and more.
When a merchant adopts a PCI-validated P2PE solution, it effectively devalues the data so that typical security controls are no longer needed. Only merchants utilizing validated P2PE Solutions realize scope to the 33 controls within the P2PE SAQ.