Choosing the Right PCI-DSS Self-Assessment Questionnaire
All merchants and service providers who either store, process, or transmit payment card information are required to be Compliant with the Payment Card Industry (PCI) Data Security Standards (DSS). Compliance aside, protecting your customers’ payment card information is imperative for customer retention and brand protection.
But understanding the requirement to comply with PCI is only part of the battle. What do you need to do next? The answer to that question depends on several factors. The volume of payment cards you store, process, or transmit. Card brands have set volume thresholds that may allow you to self-assess. If your organization is above the volume thresholds, you may not self-assess and must have a report on compliance (ROC) conducted by a Qualified Security Assessor (QSA).
If you are under the SAQ transaction volume threshold, you must then select the SAQ that is appropriate to your organization.
PCI DSS SAQ Types
How does your organization store, process, or transmit payment card data? The PCI Council has created nine self-assessment questionnaires (SAQs) that are tailored to payment card transaction channels. Selecting the appropriate PCI Self-Assessment Questionnaire is an important step in complying. The PCI Council provides guidance on selecting the appropriate SAQ, however even with the guidance provided, many organizations struggle with selecting the correct SAQ.
|PCI DSS SAQ Type||Eligibility Criteria||No. of Questions|
|SAQ A||For e-commerce/mail/telephone-order (card-not-present) merchants which have completely outsourced all cardholder data functions. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.||24|
|SAQ A-EP||For e-commerce-only merchants that rely on third-party service providers to handle card information and which have a website that doesn’t process credit card data, but could impact the security of the payment transaction. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.||192|
|SAQ B||For merchants which utilize imprint machines and/or standalone, dial-out terminals, and do not transmit, process, or store electronic cardholder data. This is not for e-commerce activities.||41|
|SAQ B-IP||For merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and which do not store electronic cardholder data. This is not for e-commerce activities.||87|
|SAQ C-VT||For merchants which utilize a virtual terminal on one computer dedicated solely to card processing, and which do not store electronic cardholder data. This is not for e-commerce activities.||161|
|SAQ C||For any merchant which utilizes a payment application connected to the internet, but with no electronic cardholder data storage.||84|
|SAQ P2PE||For merchants which utilize approved point-to-point encryption (P2PE) devices, with no electronic cardholder data storage.||34|
|SAQ D for Merchants||For all SAQ-eligible merchants which don’t meet the criteria for other types. For merchants which do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.||328|
|SAQ D for Service Providers||For service providers deemed eligible to complete an SAQ.||370|
Related article: How to Choose the Right PCI-Compliant Approved Scanning Vendor.
Which PCI DSS SAQ Is Right for Your Organization?
If you are ready to start delving into the PCI DSS compliance process, but feel the need for some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs are ready to assist you in identifying the SAQ best suited to your company.