Choosing the Right PCI-DSS Self-Assessment Questionnaire
All merchants and service providers who either store, process, or transmit payment card information are required to be Compliant with the Payment Card Industry (PCI) Data Security Standards (DSS). Compliance aside, protecting your customers’ payment card information is imperative for customer retention and brand protection.
But understanding the requirement to comply with PCI is only part of the battle. What do you need to do next? The answer to that question depends on several factors. The volume of payment cards you store, process, or transmit. Card brands have set volume thresholds that may allow you to self-assess. If your organization is above the volume thresholds, you may not self-assess and must have a report on compliance (ROC) conducted by a Qualified Security Assessor (QSA).
If you are under the SAQ transaction volume threshold, you must then select the SAQ that is appropriate to your organization.
What Is the Purpose of the PCI DSS Self-Assessment Questionnaire?
The PCI DSS self-assessment questionnaire (SAQ) is a validation tool that merchants and other service providers use to report the results of their PCI DSS self-assessment. Merchants complete an SAQ every year and submit it to their acquiring bank to evaluate their compliance with the PCI DSS. In addition to letting the acquiring bank know that the merchant is in compliance, the SAQ helps merchants detect security practice breaches, which gives them the chance to make corrections before they become a bigger problem.
PCI DSS SAQ Types
How does your organization store, process, or transmit payment card data? The PCI Council has created nine self-assessment questionnaires (SAQs) that are tailored to payment card transaction channels. Selecting the appropriate PCI SAQ is an important step in complying. The PCI Council provides guidance on selecting the appropriate SAQ, however even with the guidance provided, many organizations struggle with selecting the correct SAQ.
|PCI DSS SAQ Type||Eligibility Criteria||No. of Questions|
|SAQ A||For e-commerce/mail/telephone-order (card-not-present) merchants which have completely outsourced all cardholder data functions. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.||24|
|SAQ A-EP||For e-commerce-only merchants that rely on third-party service providers to handle card information and which have a website that doesn’t process credit card data, but could impact the security of the payment transaction. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.||192|
|SAQ B||For merchants which utilize imprint machines and/or standalone, dial-out terminals, and do not transmit, process, or store electronic cardholder data. This is not for e-commerce activities.||41|
|SAQ B-IP||For merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and which do not store electronic cardholder data. This is not for e-commerce activities.||87|
|SAQ C-VT||For merchants which utilize a virtual terminal on one computer dedicated solely to card processing, and which do not store electronic cardholder data. This is not for e-commerce activities.||161|
|SAQ C||For any merchant which utilizes a payment application connected to the internet, but with no electronic cardholder data storage.||84|
|SAQ P2PE||For merchants which utilize approved point-to-point encryption (P2PE) devices, with no electronic cardholder data storage.||34|
|SAQ D for Merchants||For all SAQ-eligible merchants which don’t meet the criteria for other types. For merchants which do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.||328|
|SAQ D for Service Providers||For service providers deemed eligible to complete an SAQ.||370|
Related article: How to Choose the Right PCI-Compliant Approved Scanning Vendor.
What Does the Basic Self-Assessment Questionnaire Entail?
Each SAQ consists of 12 individual sections, which are further broken down into six broader sections called “control objectives.” Each section focuses on a specific area of PCI DSS security, and all sections must be completed.
The 12 requirements for compliance are divided into sub-requirements, depending on the nature of the SAQ and what it is designed to reveal. However, the 12 high-level requirements have remained the same with each new version of the PCI DSS testing tool.
The “expected testing” column of each SAQ provides merchants with high-level descriptions of each type of testing activity that needs to be performed to indicate whether the merchant is, or is not, compliant. Starting with Version 3, the SAQ has been updated to provide more guidance and reporting information for each PCI DSS requirement.
What Does It Take to Pass or Fail the Self-Assessment Questionnaire?
The merchant must pass—or have the ability to say “not applicable”–to all the questions in order to be considered compliant with the PCI DSS. Missing a single question deems the merchant non-compliant, and they must immediately address and remedy the risk revealed through the SAQ.
Related article: Get Ready for the Newest Version: PCI DSS 4.0 – Coming in 2021.
Which PCI DSS SAQ Is Right for Your Organization?
If you are ready to start delving into the PCI DSS compliance process, but feel the need for some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs are ready to assist you in identifying the SAQ best suited to your company.