Small businesses rarely have the time or inclination to spend any more time satisfying PCI compliance requirements than necessary. They are often looking for shortcuts to complete this process as quickly as possible in order to get back to valuable business activities. Fortunately, the PCI Security Standards Council (SSC) has released a new set of tools for this purpose, which is specifically designed for small businesses and PCI self-assessments.

PCI Data Security Essentials & Self-Assessment Questionnaire

The PCI SSC manages the PCI Data Security Standard (PCI DSS), which consists of 12 requirements that it has developed into the PCI Self-Assessment Questionnaire (SAQ). Each requirement includes multiple directives that businesses can use to assess their payment card security policies and procedures.

Small business owners can become frustrated and discouraged after reading the full PCI assessment. The process of selecting the right questionnaire is complex. There can be a long list of questions that are difficult to answer even when the merchant selects the right questionnaire. Nevertheless, completing the PCI SAQ is a requirement for merchants who want to take credit card payments.

However, the DSE questionnaire focuses on changes with the greatest impact on a merchant’s PCI security. They function similarly to traditional PCI SAQs, except they contain fewer questions. Furthermore, the questions have a larger number of answer options that are relevant to small business, helping these merchants to better understand their risks and the methods to mitigate them.


Members of the PCI Council’s Small Merchant Taskforce have worked hard to develop the Data Security Essentials (DSE) toolkit, which will help small merchants comply with PCI DSS. The primary challenge of this task is these businesses often have PCI security postures that are just as complex as larger merchants that process far more credit card payments. The reason for this complexity is due to a combination of factors such as the growing number of payment methods and lack of technical expertise on the part of small businesses.


The taskforce’s ultimate objective with the DSE toolkit is to improve the security posture of small businesses, rather than merely increasing PCI compliance. This goal drove the development of a platform that helps small businesses determine the questionnaire they need to complete before getting started. It includes fewer requirements than previous tools by focusing on high-impact requirements and uses simpler terminology. The DSE toolkit also provides highly targeted cybersecurity resources that allow low-level merchants to understand and reduce their risk.

The task force released its first set of cybersecurity resources for small businesses in July 2016 and has continued to simplify the security and compliance process for this type of merchant. It also released an evaluation tool in August 2018, which improves on the previous DSE toolkit. This latest version provides the shortcut to PCI compliance that small businesses have been waiting for, along with information to help them improve their security posture.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


Small Business Advantages to PCI Self-Assessment Questionnaires

The Data Security Essentials questionnaire chart below shows a comparison between the DSE questionnaire and PCI SAQs. The most obvious difference between the two types of questionnaires is the significant reduction in the number of questions for the DSE questionnaires as compared to the corresponding PCI SAQ. Furthermore, there aren’t any DSE questionnaires for merchant types 8 and 11 because these merchants use processing methods that the DSE can’t validate.


DSE Questionnaire No. Of Requirements Scan Required? Related PCI SAQ/No. of Requirements
Type 1 14 SAQ B/38
Type 2 14 SAQ B/38
Type 3 39 Yes SAQ B-IP/64, SAQ C/116, SAQ D/245
Type 4 39 Yes SAQ C/116, SAQ D/245
Type 5 39 Yes SAQ C/116, SAQ D/245
Type 6 39 Yes SAQ C/116, SAQ D/245
Type 7 39 Yes SAQ C/116, SAQ D/245
Type 9 13 SAQ A/22
Type 10 27 Yes SAQ A-EP/149
Type 12 20 SAQ C/116, SAQ D/245
Type 13 21 No SAQ C/116, SAQ D/245
Type 14 26 Yes SAQ C-VT/64
Type 15 15 P2PE/24



Merchants must receive approval from their merchant bank before they can validate their PCI compliance with the DSE. However, those merchants are considered PCI compliant once they complete the appropriate DSE questionnaire, although they may still be required to pass Approved Scanning Vendor (ASV) scans at regular intervals.

Increased PCI compliance from merchants reduces the risk for independent sales organizations (ISOs) and acquirers that have those merchants in their portfolios. Payment facilitators also realize the benefit of greater security when they enroll sub-merchants in a PCI program that uses DSE questionnaires. The DSE questionnaires are already available through PCI compliance vendors.

Your Professional Compliance Partner

I.S. Partners, LLC. can help compile and ensure that your PCI compliance documentation remains in order. We can also help your organization develop security policies and training procedures. Contact us online or call 215-675-1400 to learn more about how we can help your company stay PCI compliant.

About The Author

Comment on this article

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top