Before an acquirer activates a merchant for card acceptance, it requires PCI DSS compliance documentation. The PCI DSS merchant onboarding process varies in complexity based on the expected transaction level and the type of technical integration. Knowing in advance what is required allows documentation to be prepared quickly and activation delays to be avoided.
What the acquirer asks during PCI onboarding
The first step in PCI onboarding is classifying the merchant based on PCI DSS merchant levels. Levels range from Level 1 (over 6 million annual transactions) to Level 4 (fewer than 20,000 annual e-commerce transactions or fewer than 1 million total transactions). The level determines documentation requirements: Level 1 merchants must complete a Report on Compliance (RoC) prepared by a QSA, while Level 2, 3 and 4 merchants can usually complete a Self-Assessment Questionnaire (SAQ).
The acquirer typically requires: the completed and signed SAQ (or RoC for Level 1), the Attestation of Compliance (AOC) certifying completion of the process, results of a quarterly vulnerability scan by an Approved Scanning Vendor (ASV) for merchants managing internet-accessible network components, and documentation of internal security policies. Some acquirers also require an annual penetration test for higher-level merchants.
Documents and SAQ: how long it takes
The time required to complete PCI onboarding depends primarily on the type of SAQ applicable. The SAQ A, which applies to merchants that never touch card data (because they use a certified provider for collection and processing), has 22 requirements and can be completed in a few hours. The SAQ D, which applies to merchants managing the CDE internally, has over 300 requirements and takes weeks of work with consultant support.
Identity and business registration documents, technical architecture information and the card data flow diagram are required by almost all acquirers regardless of level. Preparing the data flow diagram, which must show how the PAN enters, passes through and exits the merchant's systems, is often the step that takes the most time if it has not been previously documented.
How to speed up onboarding with a reduced perimeter
The element that most influences PCI onboarding speed is the complexity of the perimeter to declare. A merchant using PCI Proxy EU for card data collection and processing can declare a minimised CDE: their systems never handle PANs in cleartext and therefore do not fall within the perimeter. This translates into being able to complete an SAQ A instead of an SAQ D, saving weeks on the onboarding process.
Presenting the acquirer with a data flow diagram showing the proxy as the only PAN processing point and PCI Proxy EU's AOC as a certified service provider significantly accelerates the approval process. Many acquirers have simplified procedures for merchants using certified service providers for card data processing, recognising that risk is managed by an already-controlled infrastructure.
Frequently asked questions
Can the acquirer block payments if I don't provide the SAQ?
Yes. The acquirer has both the contractual right and the obligation towards the networks to verify the PCI compliance of their merchants. If documentation is not submitted within the prescribed timeframes, the acquirer can apply additional fees, restrict payment functionalities or, in the most serious cases, suspend the acceptance agreement. The specific terms and consequences are indicated in the merchant agreement contract.
How often does the acquirer require PCI compliance renewal?
The PCI compliance cycle is annual. The SAQ or RoC must be renewed every year, and ASV scans (for in-scope merchants) must be performed every quarter. Some acquirers send an automatic reminder 60-90 days before the current AOC expiry, but it is the merchant's responsibility to initiate the renewal process in time.
Do I need to send the PCI attestation to the network (Visa/Mastercard) too?
For Level 1 merchants, the AOC must be transmitted directly to the networks (Visa, Mastercard) as well as to the acquirer. For Level 2, 3 and 4 merchants, documentation is usually managed by the acquirer, which collects and transmits it to the networks based on internal agreements. In both cases, the acquirer is the merchant's main point of contact throughout the compliance process.
Want to speed up PCI onboarding with your acquirer by presenting a reduced CDE? Discover how PCI Proxy EU simplifies the process. Discover PCI Proxy EU.