Loading...
Loading...
Nine questions, five minutes, one personalised Self-Assessment Questionnaire recommendation. Get the right SAQ type and a written gap report — without the salesy procurement cycle.
Most Malaysian merchants we speak to know they have a PCI DSS obligation but are unclear which Self-Assessment Questionnaire (SAQ) actually applies to them. The PCI Security Standards Council publishes nine SAQ variants — A, A-EP, B, B-IP, C, C-VT, P2PE, SPOC and D-Merchant — and the wrong choice means either over-engineering a control set you do not need, or under-reporting and discovering the gap on a forensic investigation after a breach.
This wizard walks you through nine scoping questions covering card-data flow, acceptance channels, transaction volume, e-commerce integration model, POS architecture, tokenization, network segmentation and call-centre handling. The output is a directional SAQ recommendation, the estimated merchant level under the card-scheme tiers, and a written gap report sent to your email — in about five minutes, with no procurement call required.
This is a free educational tool. The output is not a PCI compliance attestation. nCrypt delivers PCI ASV scanning through partnership with PCI SSC-listed Approved Scanning Vendors and assists merchants with SAQ scoping, control implementation and remediation in our own right.
This wizard takes about 5 minutes and asks 9 questions about how your business accepts card payments. You will receive a recommended Self-Assessment Questionnaire (SAQ) type and a written gap report by email.
This is a free educational tool. The output is not a PCI compliance attestation. nCrypt delivers PCI ASV scanning through partnership with PCI SSC-listed Approved Scanning Vendors and assists merchants with SAQ completion, scoping reviews and remediation.
A nine-question scoping wizard is a useful starting point but it is not a substitute for a real PCI DSS scoping engagement. Specifically the wizard does not validate the security of your tokenization provider, does not verify network segmentation, does not enumerate which third parties touch cardholder data, and does not produce the signed Attestation of Compliance your acquirer will require.
What the wizard does well is pre-empty the procurement back-and-forth. By the time you talk to a consultant, you already know which SAQ family you are most likely in, which means the scoping conversation can start at the level of “here are the gaps in the controls SAQ X requires” rather than “let me explain what PCI DSS is.”
For a deeper treatment of PCI DSS in the Malaysian merchant context, see our PCI DSS compliance hub and PCI ASV scanning service page.
The Payment Card Industry Data Security Standard (PCI DSS) is the contractual standard that any merchant accepting branded card payments (Visa, Mastercard, American Express, Discover, JCB) must comply with. The current version is PCI DSS v4 (effective requirements from March 2024, future-dated requirements from March 2025). The standard sets 12 high-level requirements grouped into six control objectives, and validates compliance via either a Self-Assessment Questionnaire (Levels 2-4) or a Report on Compliance signed by a Qualified Security Assessor (Level 1).
PCI DSS is a contractual obligation imposed by your acquirer, not a Malaysian statute. However, a PCI breach in Malaysia can trigger PDPA breach-notification obligations, contractual liability to your acquirer, scheme fines, and reputational damage that materially exceeds the cost of becoming compliant in the first place.
No. The wizard is a free educational tool that gives you a directional view of which Self-Assessment Questionnaire (SAQ) is most likely to apply to your environment, plus a written gap report by email. Validated PCI DSS compliance requires a Self-Assessment Questionnaire signed by an authorised officer (or a Report on Compliance by a Qualified Security Assessor at Level 1), an external vulnerability scan signed by a PCI SSC-listed Approved Scanning Vendor, and an Attestation of Compliance accepted by your acquirer.
nCrypt is in the process of formal PCI SSC accreditation. We deliver PCI ASV scanning to Malaysian merchants today through partnership with PCI SSC-listed Approved Scanning Vendors — the scan is signed by a listed ASV and accepted by acquirers. We also deliver SAQ scoping, control implementation and remediation services in our own right.
The recommended SAQ, estimated merchant level, the specific scoping considerations behind the recommendation, the questions to put to your acquirer to confirm reporting obligations, the controls most likely to be gaps in a merchant of your profile, and a suggested remediation roadmap. The report is generated from your wizard answers and emailed to the address you provide.
The card schemes (Visa, Mastercard) define merchant levels by annual transaction volume. Level 1 (typically over 6 million transactions per year per scheme, or any merchant a scheme designates) requires an on-site Report on Compliance (RoC) by a Qualified Security Assessor (QSA). Levels 2-4 may validate via Self-Assessment Questionnaire and quarterly external vulnerability scan by an Approved Scanning Vendor.
Yes — PCI DSS responsibility cannot be fully outsourced. Even if your gateway is fully PCI-compliant, you remain responsible for the integrity of the redirect, the security of the page that hosts the iframe, vendor management of the gateway, and any card-on-file or recurring-billing flows you operate. The good news is that with a clean redirect or hosted-fields integration, your in-scope obligations collapse to SAQ A or SAQ A-EP, which is materially less work than SAQ D-Merchant.
The wizard above is the easy version. If you would prefer a 30-minute call to walk through scope, ASV scanning, and the path to validated compliance, we are happy to do that.
Talk to an Expert