Listen to: "PCI DSS SAQ Types: Which Type Is Right for Your Business?"
Choosing the Right PCI-DSS Self-Assessment Questionnaire
Diligent merchants actively seek out the best ways to protect cardholder data for and ensure privacy for clients. The nature of online business dictates that business owners look out for their customers’ best interests as they collect, store, and transmit their valuable personal and financial information.
A PCI DSS Self-Assessment Questionnaire (SAQ) is a document developed and intended for merchants who perform to PCI DSS accountability and audits. Each participating merchant must complete this set of questions each year and submit it to their acquiring bank that processes their credit and debit card transactions.
Designed, developed, and deployed by the PCI Security Standard Council, the SAQ serves as a validation tool that helps merchants and other service providers who are allowed to operate by the various payment brands—American Express, Discover Financial Services, MasterCard, Visa and JCB International—to self-evaluate according to the standards within the PCI DSS.
How the PCI DSS SAQ Helps You Stay PCI Compliant
Using the fundamentals of the PCI DSS SAQ as a guide, will provide a solid foundation as you begin developing your own strategy to achieve reliable PCI compliance.
For each completed SAQ, a merchant has the opportunity to see and evaluate their own security practices. The results allow merchants to plan compliance according to the requirements of the PCI DSS with a more targeted and solution-oriented focus. Finally, the SAQ provides the acquiring bank the necessary evidence and assurance that the merchant has achieved PCI compliance for the prescribed time frame.
PCI DSS Self-Assessment Questionnaire Instructions and Guidelines
Each SAQ consists of a set of 12 security requirements, which are further subdivided into six broader sections, which are also known as “control objectives.” Each of these six sections targets a specific security concern from the PCI DSS. Each merchant must complete all sections.
The Prioritized Approach groups the 12 standard PCI DSS requirements into six milestones that serve as a roadmap for designing, developing, implementing, and monitoring security policies, protocols and practices. The following six milestones of the Prioritized Approach provide an overview for merchants to increase security and mitigate the highest risks and escalating threats while working towards PCI DSS compliance.
- The removal of authentication data from all network storage devices and the limitation of data retained.
- The protection of points of access for networks and systems, as well as the response to system breaches.
- The securing of payment card applications within application servers, processes, and controls.
- The monitoring and controlling of all authorized access.
- The protection of stored data, using key protection mechanisms.
- The completion of all PCI DSS requirements, along with finalizing related processes, procedures, and policies.
When PCI DSS v3.2.1 was released in 2018, not much was changed with regard to the SAQs in comparison to the previous version. Version 3.2 did introduce significant changes to the SAQ process, allowing for more insightful responses and better overall evaluations of each organization’s controls. It also included more detailed and in-depth descriptions of the type of test requirements for DSS-validated service providers and merchants.
9 PCI DSS SAQ Types
While it seems simple enough to answer some basic questions, there are nine different versions of the SAQ to consider. The version that your company will need to complete depends on the way that your organization handles credit card data; it is not related to the merchant classification or risk level. The number of questions on the SAQ ranges from 24 – 370 depending on which type is used.
When you’re trying to decide which type of PCI DSS SAQ your organization is eligible for, compare its credit card data processes to the following criteria:
|PCI DSS SAQ Type||Eligibility Criteria||No. of Questions|
|SAQ A||For e-commerce/mail/telephone-order (card-not-present) merchants which have completely outsourced all cardholder data functions. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.||24|
|SAQ A-EP||For e-commerce-only merchants that rely on third-party service providers to handle card information and which have a website that doesn’t process credit card data, but could impact the security of the payment transaction. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.||192|
|SAQ B||For merchants which utilize imprint machines and/or standalone, dial-out terminals, and do not transmit, process, or store electronic cardholder data. This is not for e-commerce activities.||41|
|SAQ B-IP||For merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and which do not store electronic cardholder data. This is not for e-commerce activities.||87|
|SAQ C-VT||For merchants which utilize a virtual terminal on one computer dedicated solely to card processing, and which do not store electronic cardholder data. This is not for e-commerce activities.||161|
|SAQ C||For any merchant which utilizes a payment application connected to the internet, but with no electronic cardholder data storage.||84|
|SAQ P2PE||For merchants which utilize approved point-to-point encryption (P2PE) devices, with no electronic cardholder data storage.||34|
|SAQ D for Merchants||For all SAQ-eligible merchants which don’t meet the criteria for other types. For merchants which do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.||328|
|SAQ D for Service Providers||For service providers deemed eligible to complete an SAQ.||370|
Related article: VWhat Is Changing With PCI DSS 4.0?
PCI DSS Compliance Self-Assessment Questionnaire – Attestation
Companies handling electronic credit card data must attest to their compliance with the Data Security Standard every year. There are three parts to this: (1.) the Self-Assessment Questionnaire, (2.) regular network scanner by an ASV and a Report on Compliance by a Qualified Security Assessor, and (3.) the Attestation of Compliance.
The Attestation of Compliance includes a declaration of eligibility for your organization to complete that particular SAQ and the subsequent results. There are different version of this attestation; your organization should use the version of the attestation that correlates to the version of the SAQ completed.
Which PCI DSS SAQ Is Right for Your Organization?
If you are ready to start delving into the PCI DSS compliance process, but feel the need for some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs make it possible to expertly cruise through the SAQ best suited to your company.